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Foreword 



ETAPS 2004 was the seventh instance of the European Joint Conferences on 
Theory and Practice of Software. ETAPS is an annual federated conference that 
was established in 1998 by combining a number of existing and new conferences. 
This year it comprised five conferences (FOSSACS, EASE, ESOP, CC, TAG AS), 
23 satellite workshops, 1 tutorial, and 7 invited lectures (not including those 
that are specific to the satellite events) . 

The events that comprise ETAPS address various aspects of the system de- 
velopment process, including specification, design, implementation, analysis and 
improvement. The languages, methodologies and tools that support these ac- 
tivities are all well within its scope. Different blends of theory and practice are 
represented, with an inclination towards theory with a practical motivation on 
the one hand and soundly based practice on the other. Many of the issues invol- 
ved in software design apply to systems in general, including hardware systems, 
and the emphasis on software is not intended to be exclusive. 

ETAPS is a loose confederation in which each event retains its own identity, 
with a separate program committee and independent proceedings. Its format is 
open-ended, allowing it to grow and evolve as time goes by. Contributed talks 
and system demonstrations are in synchronized parallel sessions, with invited 
lectures in plenary sessions. Two of the invited lectures are reserved for “unify- 
ing” talks on topics of interest to the whole range of ETAPS attendees. The 
aim of cramming all this activity into a single one-week meeting is to create a 
strong magnet for academic and industrial researchers working on topics within 
its scope, giving them the opportunity to learn about research in related areas, 
and thereby to foster new and existing links between work in areas that were 
formerly addressed in separate meetings. 

ETAPS 2004 was organized by the LSI Department of the Catalonia Tech- 
nical University (UPC), in cooperation with: 

European Association for Theoretical Computer Science (EATCS) 
European Association for Programming Languages and Systems 
(EAPLS) 

European Association of Software Science and Technology (EASST) 

ACM SIGACT, SIGSOFT and SIGPLAN 

The organizing team comprised 

Jordi Cortadella (Satellite Events), Nikos Mylonakis, Robert Nieuwenhuis, 
Fernando Orejas (Chair), Edelmira Pasarella, Sonia Perez, Elvira Pino, 
Albert Rubio 

and had the assistance of TILES A OPC. 

ETAPS 2004 received generous sponsorship from: 




VI 
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UPC, Spanish Ministry of Science and Technology (MCYT), Catalan 
Department for Universities, Research and Information Society (DURSI), 
IBM, Intel. 

Overall planning for ETAPS conferences is the responsibility of its Steering 
Committee, whose current membership is: 

Ratislav Bodik (Berkeley), Maura Cerioli (Genoa), Evelyn Duesterwald 
(IBM, Yorktown Heights), Hartmut Ehrig (Berlin), Jose Fiadeiro 
(Leicester), Marie-Claude Gaudel (Paris), Andy Gordon (Microsoft Re- 
search, Cambridge), Roberto Gorrieri (Bologna), Nicolas Halbwachs 
(Grenoble), Gtirel Hedin (Lund), Kurt Jensen (Aarhus), Paul Klint 
(Amsterdam), Tiziana Margaria (Dortmund), Ugo Montanari (Pisa), 
Hanne Riis Nielson (Copenhagen), Fernando Orejas (Barcelona), Mauro 
Pezze (Milan), Andreas Podelski (Saarbriicken), Mooly Sagiv (Tel Aviv), 
Don Sannella (Edinburgh), Vladimiro Sassone (Sussex), David Schmidt 
(Kansas), Bernhard Steffen (Dortmund), Perdita Stevens (Edinburgh), 
Andrzej Tarlecki (Warsaw), Igor Walukiewicz (Bordeaux), Michel 
Wermelinger (Lisbon) 

I would like to express my sincere gratitude to all of these people and orga- 
nizations, the program committee chairs and PC members of the ETAPS confe- 
rences, the organizers of the satellite events, the speakers themselves, and finally 
Springer- Verlag for agreeing to publish the ETAPS proceedings. This year, the 
number of submissions approached 600, making acceptance rates fall to 25%. I 
congratulate the authors who made it into the final program! I hope that all the 
other authors still found a way of participating in this exciting event and I hope 
you will continue submitting. 

In 2005, ETAPS will be organized by Don Sannella in Edinburgh. You will be 
welcomed by another “local” : my successor as ETAPS Steering Committee Chair 
- Perdita Stevens. My wish is that she will enjoy coordinating the next three 
editions of ETAPS as much as I have. It is not an easy job, in spite of what 
Don assured me when I succeeded him! But it is definitely a very rewarding 
one. One cannot help but feel proud of seeing submission and participation 
records being broken one year after the other, and that the technical program 
reached the levels of quality that we have been witnessing. At the same time, 
interacting with the organizers has been a particularly rich experience. Having 
organized the very first edition of ETAPS in Lisbon in 1998, I knew what they 
were going through, and I can tell you that each of them put his/her heart, soul, 
and an incredible amount of effort into the organization. The result, as we all 
know, was brilliant on all counts! Therefore, my last words are to thank Susanne 
Graf (2002), Andrzej Tarlecki and Pawel Urzyczyn (2003), and Fernando Orejas 
(2004) for the privilege of having worked with them. 



Leicester, January 2004 



Jose Luiz Fiadeiro 
ETAPS Steering Committee Chairman 




Preface 



This volume contains the proceedings of the international conference Foundati- 
ons of Software Science and Computation Structures (FOSSACS 2004), held in 
Barcelona, Spain, 30 March-2 April, 2004. FOSSACS is an event of the Joint 
Conferences on Theory and Practice of Software (ETAPS). The previous six 
FOSSACS conferences took place in Lisbon (1998), Amsterdam (1999), Berlin 
(2000), Genoa (2001), Grenoble (2002) and Warsaw (2003). 

FOSSACS presents original papers on foundational research with clear signi- 
ficance to software science. The Program Committee invited papers on theories 
and methods to support the analysis, integration, synthesis, transformation, and 
verification of programs and software systems. In particular, we have identified 
the following topics: algebraic models; automata and language theory; behavioral 
equivalences; categorical models; computation processes over discrete and con- 
tinuous data; infinite state systems; computation structures; logics of programs; 
modal, spatial, and temporal logics; models of concurrent, reactive, distributed, 
and mobile systems; process algebras and calculi; semantics of programming 
languages; software specification and refinement; type systems and type theory. 

FOSSACS 2004 attracted over 130 submissions from which the program com- 
mittee selected 34, the maximum that could fit into the available time. Unfor- 
tunately many good papers had to be turned away. This proceedings contains 
additionally two invited contributions: by the FOSSACS 2004 invited speaker 
Hubert Comon-Lundh, and by the ETAPS 2004 unifying speaker Robin Milner. 

I thank all the authors for submitting their papers to FOSSACS. I am grate- 
ful to the reviewers who contributed nearly 400 informed and detailed reports. 
I sincerely thank the members of the Program Committee for very active parti- 
cipation in the electronic meeting and for coping with the additional challenges 
arising from the substantial increase in the number of submissions. 

To administer the submission and evaluation process, we relied on a fine Web- 
based tool provided by METAFrame Technologies, Dortmund; thanks to Martin 
Karusseit and Tiziana Margaria of METAFrame for their timely support. Finally, 
thanks are due to the ETAPS 2004 Organizing Committee chaired by Fernando 
Orejas and to the ETAPS Steering Committee chaired by Jose Luiz Fiadeiro for 
their efficient coordination of all the activities leading up to FOSSACS 2004. 



Bordeaux, January 2004 



Igor Walukiewicz 
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Intruder Theories 
(Ongoing Work) 



Hubert Comon-Lundh* 



Laboratoire Specification et Verification, CNRS 
Ecole Normale Superieure de Cachan, 
comon@lsv . ens-cachan . f r 



1 Context 

The specification of security protocols usually comes in two parts: 

— A finite number of processes called roles, each of which is parametrized by 
agent identities and consists of a sequence of name generation, the nonces 
and a finite sequence of rules rt => v, which should be read as “upon receiving 
a message matching u, send the corresponding message 

— A description of intruder capabilities, sometimes given as a proof system, 
which we call hereafter the ojfline intruder theory. 

The roles can be replicated and instanciated by agent names any number of 
times. Each such instance is called a session. The roles and the offline intruder 
theory define a transition system whose states are, for each agent name a local 
state and a set of messages called the intruder knowledge. The peculiarity of 
security protocols is the synchronization mechanism: the only effect of sending a 
message m is to increase the intruder knowledge with m, while any message that 
can be forged, i.e. deduced, by the intruder using his knowledge and the offline 
theory can be received. This models the fact that the intruder controls the public 
network: he can intercept messages, forge new messages and send them through 
the network. In addition, dishonest (or compromised) agents communicate all 
their private data, increasing the intruder knowledge. 

As far as confidentiality is concerned, there is an attack on the se- 
curity protocol if there is a reachable state in which the intruder knowledge 
contains a message which is supposed to remain a secret shared by honest agents. 

One of the most well-known offline intruder theory is now called the Dolev- 
Yao model, and relies on the perfect cryptography assumption, which roughly 
states that nothing can be learned on a plain text from its encrypted version, 
without knowing the decryption key. The verification of such protocols is un- 
decidable in this model. This remains undecidable when there is no name gen- 
eration (see e.g. [3]) or when the size of messages is bounded [6]. It becomes 
decidable (and co-NP-complete) when the number of sessions is bounded [10]. 

* This work is partly supported by the RNTL project PROUVE and the ACI Rossignol 
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The perfect cryptography assumption is only an idealization of cryptographic 
primitives, which is not relevant in many cases. Two typical cases are the use 
of exclusive or (denoted ©) and modular exponentiation, since several protocol 
use, on purpose, their algebraic properties. That is why a third component in 
the protocol specification is now considered: the equational theory describing 
the (supposedly relevant) algebraic properties of cryptographic primitives. In 
this context, the offline intruder theory is slightly modified. The result of [10] 
was recently extended to a number of other models, including exclusive or [1,4] 
and some properties of modular exponentiation [2,9,7]. 

Another generalization of the offline intruder theory consists in modeling 
for instance guessing attacks [5]. This roughly consists in guessing a value and 
comparing it with the result of an independent computation, checking that the 
guess is correct. Again, the results of [10] are generalized in a non trivial way. 
Other offline intruder theories are relevant, depending on typing assumptions, 
typically the ability to recognized whether a given message is a cyphertext or not. 
Finally, one can think of modeling some online deductions, such as the so-called 
chosen plaintext attacks. 



2 Online Intruder Theories 

Our main contribution will be the introduction of “online intruder theories” . We 
claim that most existing results can be restated in a nice way in this framework, 
which is moreover amenable to several extensions. 

If we take the intruder point of view, besides his offline deduction capabili- 
ties, he also has the possibility to send messages and get replies increasing his 
knowledge. This can also be modeled as deduction rules: we get what we call the 
online intruder theory. An attack is then simply a proof of some supposed secret 
in such a formal system. The advantages of such a viewpoint are many-fold. 



Uniformization. Most of the decidability results for a bounded number of ses- 
sions [10,1,2,5] rely on two main properties: 

— The locality of the offline intruder theory: if s is deducible from T, then there 
is a proof using subterms of s, T only 

— A bound on the size of substitutions: if there is an attack, then there is an 
attack in which the intruder only forges messages that are built by stacking 
subterms of distinct protocol rules. 

The locality of the offline theory implies its decidability in linear time. The 
second property implies an NP decision procedure, by guessing the adequate 
substitution. 

In the framework of online intruder theories, these two properties are con- 
sequences of a single property of the form “if there is a proof, then there is a 
simple proof” . 
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Strategies. A proof normalization result for the online intruder capabilities can 
be used to restrict the search space in the case of an unbounded number of 
sessions; we only have to search for normal proofs. 

Generality. The results for a bounded number of sessions [10,1,2,5,4,9] rely on 
similar proof schemes, but cannot be deduced from each other. Each of the 
results uses different hypotheses on the protocol or on the offline theory and the 
proofs are non-trivial. 

In [1,2], the authors give properties of the offline deduction system, called 
“oracle rules”, which are sufflcient for their decidability result. We will state a 
proof normalization result, which abstracts out not only the offline deduction 
system but also the equational theory. 

Though this has not been proved yet, all above-cited results should be corol- 
laries of our normal proof results. In particular, it should encompass both results 
for the exclusive or [4,1]. 

Extendahility . With a general result allowing one to lift offline theories to online 
theories, we may apply it to new models, deriving decision results for a bounded 
number of sessions. We may also include deductions which are typically “online”. 
For instance, the chosen plaintext attack can be written as a simple rule: 

a:,r h {x)k 

If X does not occur free in T 

T^k 

in other words, if, for any message x, it is possible to get the encrypted message in 
which X is encrypted by k, then we can compute k. Depending on the encryption 
algorithm, we may (or may not) include such a rule in the online intruder theory. 

3 Conclusion 

We believe that studying the proof systems for online intruder theories can be 
very fruitful in deriving both theorem proving strategies and decision results for 
a large variety of models. 
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Robin Milner 
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Abstract. This paper describes an initiative to provide theories that can underlie 
the development of the Global Ubiquitous Computer, the network of ubiquitous 
computing devices that will pervade the civilised world in the course of the next few 
decades. We define the goals of the initiative and the criteria forjudging whether 
they are achieved; we then propose a strategy for the exercise. It must combine a 
bottom-up development of theories in directions that are currently pursued with 
success, together with a top-down approach in the form of collaborative projects 
relating these theories to engineered systems that exist or are imminent. 



A Grand Challenge for Computational Theories 

Ubiquitous Computing entails large-scale networks of computing devices and agents. 
They are hardware or software; static, mobile or wearable; permanent or ephemeral; 
communicating, reflective and location-aware. They operate in highly distributed -even 
global- scenarios involving both processes and data, at low power and in a timely fashion, 
guaranteeing privacy and security, individually exhibiting high failure rate yet reliable 
and dependable as a whole. 

There is no doubt that over the next few decades we shall see ubiquitous computing 
pervade the civilised world. This paper describes an initiative to provide theories that 
will underlie this dramatic development, both to realise its full potential and to avoid the 
huge inconvenience and possible disaster that can be caused by the ad hoc engineering 
of such a pervasive network of artefacts. The exercise forms part of a Grand Challenge 
programme mounted by the UK Computing Research Committee, but is also intended 
to merge with international programmes with similar goals. 

For this Challenge we make no separation between Ubiquitous Computing and 
Global Computing. They cover the Internet, together with the mobile physical devices 
linked to it and the software platforms built upon it; they also cover designed systems 
such as healthcare coordinated across a country, which involves highly distributed med- 
ical data, care- scheduling, mobile resources and emergency action. Furthermore they 
cover all possible collaborations among such systems, and between them and humans. 
We refer to this whole, which is part engineered and part natural phenomenon, as the 
Global Ubiquitous Computer (GUC). 

As engineered artifact, the GUC is probably the largest in human history. Yet a 
rigorous understanding of it, and of how it might develop, is lacking. When we add 
devices and software to it, we do so with some understanding of these new parts, but no 
clear grasp of the whole onto which we graft them. As natural phenomenon, the GUC is 
as complex as many others -physical, chemical, biological or ecological- that have long 
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been the objects of scientific study. The parts we build form part of a whole which is 
not, and probably never will be, the realisation of a single design; to that extent it occurs 
‘naturally’, and demands scientific understanding in the traditional sense. 

Just as differential equations, Laplace and Fourier transforms, and numerical linear 
algebra serve as toolkits both for physical theories and for traditional engineering, so 
computer scientists must develop theories both for understanding and for building the 
GUC. ‘Understanding’ and ‘building’ are generic terms that cover a range of distinct ac- 
tivities. We may aJapt, analyse, combine, correct, design, diagnose, document, enhance, 
evaluate, expand, exploit, formalise, implement, instrument, refine, re-use, specify, test, 
validate, . . . systems. Pervading all these activities is modelling. The key to a science 
for the GUC is that the same models should be used both in the analytic activity (the 
understanding) and in the synthetic activity (the building). 

Our Grand Challenge is therefore; 

- To develop a coherent informatic science whose concepts, calculi, theories and 
automated tools allow descriptive and predictive analysis of the GUC at each level 
of abstraction; 

— That every system and software construction - including languages — for the GUC 
shall employ only these concepts and calculi, and be analysed and justified by these 
theories and tools. 

We deliberately pose this as an ideal goal. It will never be fully achieved, but we 
pose it in this ideal form because we see no argument that limits the degree of attainable 
success. If at first it seems absurd, consider that other engineering disciplines come 
close to achieving this goal, since -unlike software engineering- they are founded on a 
pre-existing science. 

To be worthy of the name ‘Grand Challenge’, a goal must not only lie beyond 
the reach of existing concepts and technology, but must also admit clear criteria for 
achievement. Ours certainly meets the first requirement. For the second, we shall be able 
to declare success just to the extent to which, in one or more activities mounted on the 
GUC platform (e.g. distributed business processes, instrumented buildings, healthcare 
coordination), both the structure and the behavioural analysis of its specific software 
systems are couched fully in terms of the new science. 

The full case for this Grand Challenge can be found on the UK website for Grand 
Challenges in Computing Research; 

http : //www . nesc . ac . uk/esi/events/ GrEuid_Challenges . 



The Existing Theoretical Platform 

Considerable success has already been achieved over the past four decades in modelling 
many subtle features of computation. These models lead from highly developed theories 
of sequential computing and databases, to theories that are less developed — but already 
enjoy fair consensus — for concurrent interacting systems and distributed data. Here is 
a skeleton, roughly in order of discovery; 



universal machines, automata theory, formal language theory, functional calculi, 
database theory, automated logics, program semantics, logics for specification 
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and verification, type theories, Petri nets and process calculi, temporal and modal 
logics, calculi for mobile systems, semi-structured data, game semantics. 

Almost all of these have been augmented with automated tools for design and analysis, 
such as simulation, computer-assisted reasoning and model-checking. 

This is a substantial science base. A companion paper to the Grand Challenge 
proposal, under the title Theories for ubiquitous processes and data, outlines the 
state of the art in these topics. This survey, referred to here as the ‘Platform Pa- 
per’, contains a large bibliography and is available at http : //www . cl . cEun . ac . uk/ 
users/rml35/plat .pdf . It gives ample evidence of progressive refinement of the 
science, and also of its influence on industrial practice. 

Nonetheless, this influence has been incomplete and haphazard. Why? 

The explanation lies in the extraordinary pace of technological development, and the 
corresponding pace of change in market expectations. The science has been aimed at a 
moving target, attempting to underpin the ever more complex designs made possible by 
advances in hardware and networking technology. Moreover, theories typically remain 
far longer in gestation than opportunistic design practices. Two effects can be observed: 

- The theories themselves are not yet complete or unified; 

- Software engineers have designed what the market required, rather than what has 
been analysed even by currently available theories. 

In other words, theories have not sufficiently informed software design. Often they have 
been retrofitted to it, revealing weaknesses too late to mend the design. A classic example 
is the application of type theory to legacy code, revealing just where it was vulnerable to 
the Y2000 problem. There were no great disasters after the millennial date, but enormous 
expense was incurred before it, in anticipation of what might happen. Such lack of 
confidence would not arise with well-typed code. The necessary type theory had been 
researched and published at least two decades previously. 

A second example' (closer to the GUC) concerns the IEEE 802. 1 1 standard for data 
confidentiality known as Wireless Equivalent Privacy (WEP), introduced in 1999. This 
was found in 2001 to be severely imperfect. Analysts showed how an attacker, using a 
few million encrypted packets, can deduce the shared key used by WEP. Several other 
attacks have subsequently been found. By then, millions of devices employing WEP had 
been sold worldwide. 

There are two motivations for our Grand Challenge. The first is negative: unless 
we offer a soundly based methodology to supplant the practice of opportunist software 
creation, there will be consequences of the kind we have illustrated, and a further mass 
of inscrutable legacy software. These consequences will be greatly more damaging than 
previously, because the GUC is pervasive, self-modifying and complex in the extreme. 

The second motivation is positive, and concerns the range of concepts that we must 
bring under control in understanding the GUC. This range -as we briefly indicate below- 
is so impressive as to justify a science; it also ensures that the design of software and 
systems will undergo a revolution, during which entrenched practices may be abandoned 
and the science may properly inform all analysis and design, as indeed it does in other 
engineering disciplines. 

* Reported in Communications of the ACM, May 2003. 
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So what are the scientific concepts involved? We do not yet know them all, but we 
are not starting from scratch. Theoretical work over the past fifty years has created an 
impressive platform of concepts, structures and tools relevant to the GUC. The Platform 
Paper surveys several that have emerged most recently, under eight headings: 

Space and mobility; Security; Boundaries, resources and trust; Distributed data; 
Game semantics; Hybrid systems; Stochastics; Model-checking. 

This is neither a complete nor a coherent classification of relevant work; other topics 
will emerge, but these provide an initial foothold. In all of these topics we can predict 
outcomes over the next few years that are certain to be important for the GUC. We can 
think of research in these directions as the bottom-up approach to a science for the GUC. 



Strategy for Attacking the Challenge 

To complement the essential bottom-up theoretical advances, a Grand Challenge must 
also be approached by goal-directed navigation; the top-down approach. What kinds of 
project provide this navigation? 

Here we identify three levels at which experimental projects can be defined without 
delay. We also propose a means by which the research community can generate a portfolio 
of such projects and train them towards the main Challenge. These projects will will 
enhance the value of the bottom-up research and provide incentive to undertake it. 

(1) Experimental Applications. The first kind of project aims to achieve part of the goal 
of the Challenge for a particular application area; it consists of an Exemplary application, 
probably defined and achieved in (say) three-year phases. The aim of such an Exemplar 
is primarily experimental, not practical; it will experiment with existing and new calculi, 
logics and associated tools to achieve a prototypical system in which specification and 
design are permeated by theoretical understanding. Its success consists not in delivering 
the application for use in the field, but in exhibiting its formal structure and analysing 
its behaviour in terms of an appropriate scientific model. Here are three possible topics 
for such project, all of which are currently researched: 

- A sentient building; 

- Health-care coordinated across a city or country; 

- A platform for business processes. 

For example, programming for the sentient building may be based upon a process cal- 
culus for space and mobility, expanded to accommodate continuous space and time; the 
database for the health-care application may illustrate a theory of mobile distributed 
semi-structured data; the business-process platform may illustrate a particular use of 
process calculus and logics for specification, implementation and coordination. 

There is no reason why the studied application should be a new one; there is great 
scientific value in taking an existing system that works in the field and re-constructing 
it on a more explicitly scientific basis. The goal of our Challenge is that theories should 
pervade the construction of a system, not merely be brought in to analyse it after con- 
struction. To mount such a theory-based design and then compare it with one that is 
currently working is a valuable scientific experiment. 
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(2) Experimental Generic Systems. Experimental Exemplars such as the above will 
confront many conceptual problems. Many of these will be generic — i.e. we would 
expect the same problem and solution in widely differing applications. This suggests that, 
besides underlying theories, universal engineering principles for ubiquitous systems are 
to be sought. A sister Grand Challenge, entitled Scalable Ubiquitous Computing Systems 
(SCUS), is being mounted as part of the UK exercise, with the purpose of eliciting these 
principles. The two Challenges will benefit from joint work on specific aspects of design. 
In each case we would expect to ask: How do theoretical models assist the structuring 
and analysis of certain aspects of a system? 

Three possible topics for collaboration are: 

- Stochastic models for reconfigurable systems; 

- Resource allocation in an open distributed environment; 

- Logic and language for reflectivity. 

In the first topic, we aim for models that can predict the behaviour of reconfigurable 
systems -e.g. communications networks- that respond probabilistically to demands. We 
already have calculi for mobile distributed systems; we understand stochastic behaviour 
in non-mobile process calculi; we have experience in stochastic model-checking. The 
cue provides the incentive to combine these three, in the attempt to establish design 
principles, and indeed to predict behaviour in existing systems such as the Internet. 

In the second topic, one concern is how to represent disciplines for the allocation 
of resources -including processors, memory, and services- in a suitable calculus and 
associated programming language. Another concern is safety, in an open system where 
clients are not a priori trustworthy. This entails a logic of trust (e.g. if A trusts B and 
B spawns C, does A trust C?), and ways of verifying that a program implements a 
trust-discipline expressed in the logic. 

Reflectivity, the third topic, is the ability of a system to report on its own actions, and 
on its ability to fulfil its own intentions. What degree of reflectivity should be present 
in each subsystem of the GUC? The answer will be embodied in an engineering design 
principle, as sought by SCUS. The theoretical challenge is to define a calculus in which 
the reflectivity of a process is modelled explicitly, and to demonstrate that this reflectivity 
is correctly implemented in a lower-level calculus or language. 

These three topics illustrate a rich vein of research challenges. They all explore 
the mutual influence between engineering principles and theoretical concepts. A pivotal 
component in all three is a programming language informed by the theory. 

(3) A Theoretical Hierarchy. A distinctive feature of computational modelling is that 
models must exist at many levels. At a high level are specifications and logics; at a low 
level are assembly codes. Intermediate levels are already suggested by some of the above 
project topics. Eor example, at a certain level we may model trust but not locality; at a 
lower level, locality but not trust. Again, at a certain level we may model communications 
as instantaneous, but implement them at a lower level by complex protocols. 

With this in mind, models at many levels of abstraction were stipulated as part of the 
main goal of our Grand Challenge. Having seen some of the rich conceptual armoury 
required for the GUC, we can now see more clearly how these levels should be related, 
and can refine the main goal as follows: 
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- To express theories for the GUC as a hierarchy of models and languages, assigning 
each relevant concept to a certain level in the hierarchy; 

- To define, for each model M, how a system description described in M may be 
realised or implemented in models M\ , , Mn lying below M; 

- To devise methods and tools for reasoning both at each level and between levels. 

We now begin to see how specific projects can be mounted to bridge the gap between 
the platform of existing research and the achievement of the Challenge. Each such project 
cau be seeu as either developiug a model for a limited rauge of coucepts, or developiug 
the realisatiou of such a model iu terms of lower oues. For example: 

- Exteudiug au existiug calculus for mobile distributed systems to iucorporate cou- 
tiuuous spatial variables aud stochastic state trausitious; 

- A coordiuatiou calculus for systems that are heterogeueously modelled or pro- 
grammed. 

The first topic is of theoretical iuterest iu its owu right, but cau be liuked to the Exem- 
plar study of a seutieut buildiug. It should uaturally iuclude a programmiug lauguage 
as a sub-model. The secoud topic ackuowledges that, to meet the Challeuge iu a way 
that embraces existiug applicatious, oue must accommodate systems implemeuted iu 
arbitrary lauguages. Just as Corba (for example) coordiuates the executiou of hetero- 
geueously programmed systems, so a coordiuatiou calculus must admit the aualysis of 
such systems. A good example is provided by existiug commuuicatious protocols; the 
way to accommodate them iu the Challeuge is to show -for each protocol iu what- 
ever lauguage- that it behaves correctly accordiug to a specificatiou expressed iu the 
coordiuatiou calculus itself. 



Mounting the Exercise 

We have discussed theoretical topics to be developed bottom-up, aud we have defiued 
three categories of project that cau be mouuted ou our existiug theoretical platform 
(as defiued iu the Platform Paper), as first top-dowu steps iu attackiug our Challeuge. 
But this is uot euough to get a coucerted work programme goiug; the various research 
commuuities ueed a meaus to couverge upou specific iuitial projects. This is most likely 
to be achieved by uetworks aud workshops orgauised for that purpose. 

Au example of a ‘vertical’ uetwork — oue that aims to liuk differeut top- 
ics of research relevaut to ubiquity — is UK UbiNet, receutly formed aud al- 
ready orgauisiug workshops for groups with differeut research skills (coveriug 
hardware, software aud theory) to iuform each other. The relevaut website is 
http : //www-dse . doc . ic . ac.uk/Projects/UbiNet/ . Iu coutrast, a Europeau uet- 
work focussiug upou theories for global computiug already exists; kuowu as GC2, it 
is au FET pro-active iuitiative for Framework Programme 6 of the Europeau Commis- 
siou. The GC2 Strategy Group has receutly published a visiou for GC2 eutitled Building 
the Case for Global Computing, coordiuated by Vladimiro Sassoue; it cau be fouud at 
http : //www . cogs . susx. ac .uk/users/vs/gc2/gc2 .pdf . 
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Conclusion 

We can consider the Global Ubiquitous Computer as the ultimate distributed system. 
We have already responded to the exciting challenge of distributed systems; the result 
has been a new generation of computing theories. We now see that the technology 
of ubiquitous computing has extended this challenge still further; current theories of 
distributed and mobile computing systems can be seen as precursors of a still broader 
science. There is an opportunity, and an urgent need, to develop this science before 
methodologies for the GUC become established and hard to change. This can only be 
done by an ever closer collaboration between engineers, theorists and users. 
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Abstract. We introduce a computational interpretation for Hilbert’s 
choice operator (e). This interpretation yields a typed foundation for 
dynamic linking in software systems. The use of choice leads to inter- 
esting difficulties — some known from proof theory and others specific to 
the programming-language perspective that we develop. We therefore 
emphasize an important special case, restricting the nesting of choices. 
We define and investigate operational semantics. Interestingly, computa- 
tion does not preserve types but it is type-sound. 



1 Introduction 

In the 1920s, Hilbert invented the choice operator e: as a means of defining the 
first-order universal and existential quantifiers in an attempt to establish the 
consistency of arithmetic and analysis. Usually, in first-order logical systems, if A 
is a formula and a; is a variable then ex. A is a term that represents some element 
X for which A holds, when such an x exists. The term ex. A is syntactically 
well-formed even when no such x exists. Hence, 3x.A may be regarded as an 
abbreviation for A[{ex.A) / x\. (See section 7 for some references on e.) 

In this paper, we introduce a computational interpretation of the choice op- 
erator £ in the context of a second-order propositional logic, that is, in a variant 
of propositional £-calculus. Its originality stems from the view of this operator as 
a construct in the type system for a programming language. In our type system, 
£ binds a type variable — rather than a variable that ranges over values — much 
like V in the polymorphic A-calculus System F [9,3]. If A is a type and A is a 
type variable then eX.A is a type X for which A is inhabited, when such an 
X exists. The type X may be chosen dynamically (at run-time) among several 
candidates. In any case, X is unique. For instance, eX.X is an arbitrary, fixed 
inhabited type, and if T is an empty type, then eX.A is an arbitrary, fixed type. 

Our programming-language perspective has substantial consequences. In par- 
ticular, it constrains orders of program evaluation. We cannot blindly rely on 
analogues of the strategies previously explored in the proof theory for the choice 
operator (e.g., [14]): these strategies are generally not attractive for the opera- 
tional semantics of programs. 

While some of the logical difficulties caused by the choice operator are fairly 
well-known, we find others in this context. In short, we observe that e tends to 
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conflict with type-soundness, parametricity, and termination, and (non-conserva- 
tively) extends typed functional programming with tricky side effects. Some of 
these issues are crucially affected by orders of program evaluation. 

In light of these difficulties, we particularly focus on an important special case 
in which e’s cannot be nested arbitrarily. With such restrictions, we define and 
investigate operational semantics. Interestingly, computation does not preserve 
types but it is type-sound. For example, a step of computation might replace 
the type eX.X with the type Bool. Such instantiations result in global changes 
of types, but — if done with great care — not in run-time type errors. 

Choice is obviously related to existential quantiflcation, and thereby [19] to 
abstract datatypes. From a programming-language perspective, choice enables 
us to refer to uniform, unique implementations of abstract datatypes. Two oc- 
currences of eX.A in a program always refer to the same type X. In contrast, 
two occurrences of 3X.A in a program will typically yield different, incompatible 
concrete representations for X; such incompatibility is a well-known source of 
problems, for example in the treatment of binary methods. Programming lan- 
guages provide several other ways of overcoming or avoiding those problems (for 
instance, the “dot notation” [4]). In contrast with many programming-language 
inventions, choice remains fruitfully close to logic. 

At the same time, choice seems intriguingly close to practice. Specifically, 
whenever we instantiate eX.A with a chosen type B, we also pick a value of the 
corresponding type A[B / X]. In programming terms, this value can be seen as 
a dynamically linked implementation of the interface A, with B as the concrete 
representation type for X. Further, consecutive instantiations of a type variable 
correspond to incremental implementations of an interface. 

As a result of our exploration, we therefore obtain a foundation for (aspects 
of) typed dynamic linking in extensible software systems (e.g., [2,10,6,7,12]). 
Dynamic linking has thus far been rather mysterious and notoriously error-prone 
(e.g., [5]). It has often been defined rather vaguely, or kept “under the covers”. 
We hope that studies such as ours will contribute to taming it. 

The next section describes the syntax and type system of a minimal pro- 
gramming language with choice, which we call System £. Section 3 starts an 
analysis of the possible computation rules for this language and of some of the 
difficulties involved. Section 4 focuses on an important fragment. System £* , that 
has a simple and sound operational semantics. Section 5 treats an example. Sec- 
tion 6 briefly considers parametricity, termination, and conservativity. Finally, 
section 7 concludes with a discussion of related and further work. Because of 
space constraints, this paper omits some further analysis of computation rules 
for System £] it also omits material on abstract machines, which are the subject 
of ongoing work. 



2 System £•. Basics 

This section describes the syntax, type system, and informal semantics of Sys- 
tem £, postponing formal semantics. 
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2.1 Defining System S 

Design. For simplicity and in order to focus on the choice operator, our pro- 
gramming language is a rather spartan A-calculus. Since our choice operator 
binds type variables, we may wonder how much higher-order machinery the pro- 
gramming language should include. In particular, we may ask whether the type 
quantifier V should be primitive, as in System F [9,3]. The interaction of e with 
V seems to raise many interesting but non-trivial questions, as we hint in sec- 
tion 6.2. Moreover, the full power of System F quantification is rarely present 
in current practical languages. Therefore, for this first study of e in a program- 
ming context, we omit V. We also omit higher-order type operators, recursion, 
subtyping, and mutable references. We even omit base types (Bool, . . . ) and 
first-order types (A x B, .. . ), but we liberally rely on them when appropriate 
(for instance, in examples); they are not problematic. 



Syntax. Thus, System £ is an extension of the simply typed A-calculus, without 
base types but with e at the level of types and corresponding implementations 
at the level of terms. Its grammar is: 



A,B,T::= 

X 

A^ B 
eX.A 



types 

type variable 
function type 
choice 



X 

Xx'.A.t 
t u 

{t : A with X = T) 



terms 

variable 

function 

application 

implementation 



The type variable X is bound in eX.A and in (e : A with X = T), with A as 
scope. We do not detail the usual definition of substitution for terms and types, 
respectively written t[u/x] and A\T / X]. 



Informal semantics. The intended meaning of the constructs borrowed from the 
simply typed A-calculus is standard. We adopt a call-by-value interpretation. 
As explained in the introduction, eX.A is a type X for which A is inhabited, 
when such an X exists. We think of A as an interface in which X stands for 
a representation type. The type eX.A may be chosen dynamically. When an 
expression {t : A with X = T) is evaluated, it fixes eX.A to be T, accordingly 
fixes the code for A to be t (locally and elsewhere), and executes t. The details of 
this process are quite delicate, and may become clear only with formal semantics. 



Abbreviations. We abbreviate (e : A with X = T) to {e : A) when X does not 
occur free in A (and in that case T can be arbitrary). We write (e : A with T) for 
(e : A with X = T) when X is clear from context. Similarly, when X is clear from 
context, we write A[T] for A[T/A], and eA for eX.A. We write let a; = t in u for 
{Xx'.T.u t), when T is clear from context. We further write t; u for let x = t in u 
when X does not occur free in u. 
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Typing with e. A context A is a finite set of pairs (x : T) of variables and types. 
Typing judgements are of the form T \- t : T and can be derived by the usual 
rules of the simply typed A-calculus extended with the following new rule for s: 

The: A[T/X] 

T h (e : A with X = T) : A[{£X.A)/X\ 

This typing rule corresponds to the regular inference rule for e in first-order 
logic. In natural-deduction style, that rule is: 

A[t/x] 

A[{£X.A)/x] 

where A ranges over formulas and t over terms. This rule strongly resembles the 
typing rule, but omits the typing environment (which corresponds to assump- 
tions higher in the natural-deduction proof tree) and the expressions (which 
embody the proofs) . Such similarities are the norm whenever the Curry-Howard 
isomorphism connects a logic and a type system. 

Alternative typing rules. Several alternative typing rules are worth mentioning. 
A minor variant of our new rule includes a type substitution on terms: 

r h e[T/X] : A[T/X] 

T h (e : A with X = T) : A[(£X.A)/X] 

This variant might be convenient, because it can result in more compact expres- 
sions, but is not essential. A more significant alternative consists in extending 
the syntax and the typing rule so that one can choose several types at once. We 
return to such simultaneous choices in section 4.3. 



2.2 Examples 

We close this section with a brief, informal look at a few examples. We consider 
further examples below, also discussing their operational semantics. 

Suppose that several software components rely on auxiliary compression 
packages that provide string compression and decompression functions. Many 
of the components may come with their own compression packages, each with a 
different internal representation for compressed data. One may prefer for all the 
components to rely on the same package, so that they can exchange compressed 
data. Any one of the possible packages may do. There may not be a convenient 
way to predict that such a package will be needed and to pick one, a priori, but 
the first use of such a package could trigger the loading of one implementation. 
For this purpose, we define the type expressions: 

CompressPkg = {c : String — >• A, d : A — >• String} 

Compressed = £A.CompressPkg[A] 
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where we write {c : String X,d : X ^ String} for the type of records with 
c and d components with respective types String — >■ X and X — ^ String. One 
component, e, may use a trivial compression package /: 

/ = {c = As:String.s, d = As:String. sj 
e = \et h = (/ : CompressPkg with X = String) in 
. . . h.c . . . h.d . . . 

Another component, e' , may use a more interesting compression package f' in 
which natural numbers implement compressed data: 

f' = {c = string2nat, d = nat2string| 
e' = \et h = (/' : CompressPkg with X = Nat) in 
. . . h.c . . . h.d . . . 

Now e and e' may be combined in a larger expression m. For example, if e has 
type Compressed and e' has type Compressed — >■ Nat, we may write m = (e' e) 
with type Nat. At run-time, the execution of m loads / or /' but does not mix 
them, avoiding type errors. 

Similarly, consider the interface: 

NatList = {nil : X, cons : Nat — >■ A — >■ X, member : X Nat — s- Bool} 

for lists of natural numbers, with an empty list and with cons and membership 
operations. When t and u are two expressions of type NatList[£A. NatList], they 
may rely on different internal representations for lists, but it is still safe to write 
terms such as t.cons(2)(u.nil). At run-time, only one internal representation is 
used. 

A deeper and more detailed example is given in section 5, including opera- 
tional semantics. 

3 Computing in System £ 

Much as in the study of control operators, which correspond to classical logic, 
we aim to explore a new programming-language construct that corresponds to 
an extension of intuitionistic logic with e. From a logical perspective, the aim is 
a cut-elimination result as general as possible. This approach was the one taken 
by Leisenring [14] in a first-order framework, with backtracking over choices and 
reduction under binders (strong reduction, in programming-language terms). In 
contrast, we favor a programming perspective, focusing on implementable and 
predictable operational semantics. However, our approach is also relevant to the 
more exotic strategies that arise from logical cut-elimination. 

3.1 Linking 

In order to perform computation with a System £ term t, we must be able to 
replace an implementation term {e' : A with T') that appears in head position 
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in t with some term e. This step is essentially a linking operation: replacing 
a link to a potential implementation e' of A with an actual implementation e 
(which can be, but is not necessarily e'). 

More precisely, let t be a term, and m = {e \ A with T) an implementation of 
the interface Suppose that some implementation m' of m' = (e' : 

A with T'), occurs in t. Linking m! to m, that is, replacing m' with e, implies 
linking the interface choice type sA to the type T used for sA in e, that is, 
replacing eA with T. (This replacement also applies to any types a-convertible 
to sA.) 

However, there is no scope for eA: the substitution of T for eA must be global 
to t. In contrast, for existential types, the elimination construct for 3A (named 
open in [3]) delineates statically the scope in which the chosen representation 
type T can be used. There is no such elimination construct for Thus, we 

may view H[eH] as the open interface type for the interface A, and 3 A as the 
closed one. 

Because the substitution of T for eA is global, it reaches all other imple- 
mentations of in t. In order to interoperate with e, those implementations 

must, at the very least, use the same representation type T as e. The only way of 
achieving this effect in practice is to link them with m as well. Thus, the entire 
linking operation must be global. 

Definition 1. Let again m stand for (e : A with T). The static linking oft with 
m, noted tlm, is defined as the term obtained by simultaneously replacing alf 
implementations of A[e A] with e, and all instances of eA with T. If we use * as 
a wildcard in pattern-matching, we can write this as: 

tl {e : A with T) = t[T /eA, e/fk:A with *)] 

We extend the linking notation to types and typing contexts: 

Rlm = R[T/eA] rim = r[T/eA] 

One may argue that the linking operation, as specified here, is unsatisfactory 
for practical, efficient implementations of programming languages. In particular, 
it requires testing type equalities at run-time. Section 4.3 offers a remedy. 

3.2 Type Soundness 

In spite of the precautions we have taken, tlm is not always well-typed. Let 

C = X B = eX.eY.C B' = eY.C[B/X] 

and consider the term 

u = (not : Bool — >■ Y with Y = Bool) 

^ That is, of course, except the implementations of T[eH] occurring inside e. The 
example of section 5 illustrates this point. 
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which has type 

Bool — >■ £Y.C'[BooI/X] 

It follows that the type of 

V = {{u true) : eY.C with X = Bool) 
is S', but B' does not appear in v. Now 

w = {\x\B.l : B ^ Y with Y = Nat) 

is an implementation of type C[B / X][B' /Y], so {{Xx:B'.x) v)lw = ((Ax:Nat.x) v) 
is not well-typed. 

This difficulty is well-known in the proof theory of e. It arises when there are 
so-called “improper” e type expressions that contain £ subexpressions in which 
the outer e type variable appears free. For example, eX.sY.{X — >■ Y) is improper 
because the outer type variable X occurs under eY. 

More precisely, we say that a type sC is subordinate in an implementation (e : 
B with Y = T) ii B contains a subexpression sB' , in which Y appears (making 
eY.B improper), such that eC is equal to either eB'\T/Y] or £B'\eY.B /Y]] we 
say that eC is subordinate in t if eC is subordinate in some subterm of t. 

By a straightforward structural induction, we obtain a conditional type- 
soundness result: 

Theorem 1. Suppose that B, A \- t : R and B, A' \- m : A[£A], where B , A, and 
A! are disjoint contexts. If sA is not subordinate in t and does not appear in B, 
then 

B, Aim, A' \- tlm : Rim 

The difficulties explained above make it impossible to remove the conditions 
of this statement in order to obtain an unconditional type-soundness theorem. 
One might expect that a solution could be based on work in proof theory, and 
in particular on Leisenring’s approach. Unfortunately, that approach is not di- 
rectly suitable in a programming context. We have found realistic examples with 
dependent choices in which “normal” orders of evaluation lead to type errors, 
and in which orders of evaluation based on Leisenring’s are inappropriate. We 
may go further in two ways: 

— One is to choose an evaluation order which avoids subordinate interface 
types. Such evaluation orders may be too complex for programming pur- 
poses. We omit their description. 

— The other is to avoid subordinate interface types entirely. The corresponding 
restrictions seem reasonable, and we describe one next, in section 4. 

4 System S* 

In this section we start to explore a relatively simple but important fragment of 
System S that we call System S* . We believe that this fragment is useful in its 
own right (not only as a possible stepping stone), so a substantial part of this 
paper is devoted to its development. 
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4.1 Defining System S* 

System S* is a well-behaved fragment of System S that forbids interleaved e: 
binders in types. From a logical perspective, it corresponds to what Leisenring 
called the e*-calculus. From a programming-language perspective, this means 
that open interfaces cannot occur in signatures. 

Definition 2. A type is valid in System £* (in short, is in £* ) if it verifies the 
two properties: 

— all its subexpressions are in £* , 

— if it is of the form eX.A, if eY.B is a subexpression of A, then there is no 
occurrence of X in B which is free in A. 

A term t or context B is in £* if every type occurring in it is in £* . 

Note that we can obtain the same restriction by requiring that e always binds 
the same fixed type variable (very roughly analogous to self or like Current for 
objects). 

For example, the type eX.(X — >• eY.{Y — >• F)) is in £* but eX.(X — >• 
sY.{X — >■ Y)) is not. The former type can be written with a single bound type 
variable, as sX.{X — >■ eX.(X — >■ X)). The latter type cannot be rewritten analo- 
gously, because of the occurrence of a bound variable underneath another binder. 

For types in £*, the typing rules for System £* are identical to those of 
System £. Crucially, in System £*, no type is subordinate in any implementation. 
Therefore, Theorem 1 always applies. Furthermore, if T, t, and m are valid, then 
so are Blm and tlm. Thus, the way is paved for simple operational semantics for 
System £* . This system remains rich enough for many examples, such as those 
developed in sections 2.2 and 5. 

4.2 Operational Semantics 

Basically, we choose a functional evaluation strategy (say, here, right-to-left call- 
by-value) and we perform a static linking step, on the fly, each time an imple- 
mentation is encountered. 

More formally, it is convenient to use evaluation contexts. We adopt the 
following, usual, definitions for values and evaluation contexts: 



V ::= 


values 


Xx'.A.e 


function 


C::= 


evaluation contexts 


• 


hole 


e C 


application right 


C v 


application left 



and the reduction rules: 

C[{Xx:A.e w)] — >■ C'[e[w/x]] 

C[{e : A with T)] Cl {e \ A with T)[e] 

The following decomposition lemma is easy. 
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Lemma 1. Suppose that e is a closed term. Then e is a value or e = C[r] for 
some context C and term r which is either a j3-redex or an implementation. 

A more general lemma is necessary when we extend the language, and then 
we want to distinguish arbitrary normal forms (like the bad application 3(4)) 
from proper values. 

Since Theorem 1 applies to any well- typed term in System £*, it is easy to 
check: 

Theorem 2. If T h C[r] : R in System £* , e does not appear in T, and 
C[r] — >■ e, then there exists R' such that T \- e \ R' in System £* . 

The following corollary follows from Lemma 1 and Theorem 2. 

Corollary 1. Suppose that e is a closed term. If e is well-typed in System £* 
then either e is a value or there exists e' such that e — >■ e' and el is also well-typed 
in System £* . 



4.3 A Programming Syntax 

We believe that System £* suggests useful (and not too esoteric) ideas for lan- 
guage design. Even if realizing these ideas is beyond the aims of this paper, we 
can already outline a more practical syntax for choice. 

In actual programming, one often wants to attach names to types for con- 
ciseness and clarity, and also as brands (in the sense of Modula-3 [20]), in order 
to distinguish different uses of the same type (for instance, real temperatures 
and real distances). We use type variables as names for e types. When X is 
associated with A in the typing context, X stands for eX.A. When X and Y are 
associated with A and A\Y / X], respectively, we need not equate them. 

We further permit simultaneous choices, so that an interface does not have 
to rely on one single type variable. Thus, for example, we may write an inter- 
face type of address books, with several type variables for the types of names, 
phone numbers, and addresses. Simultaneous choices are convenient but not a 
major extension. (We believe that they can be reduced to simple choices using 
quantifiers.) 

The typing judgements are of the form Z\, T h e : T where T binds term 
variables to types as usual, and Z\ is a list of associations, each of the form 
[Ai, . . . , A„|A]. The grammar of the language is: 

A,B,T ::= types 

X,Y,... type variables 

A ^ B function type 



e, t, u ::= 
x 

Xx'.A.t 
t u 

(t|Ai = Ti . . . A„ = T„) 



terms 

variable 

function 

application 

implementation 
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List(L) = {nil : L; cons : Nat — >■ L — >■ L; hd : L — > Nat option; tl ; L — >■ L} 
let bl = (nil = [];cons = (_ :: _); ; List(Nat list) 

hd = function (a :: 1) — >■ Some a | _ — >■ none; 
tl = function (a ::?)—>■ Z I _ — >■ []} 

in let cons2 x y a = : Nat — > Nat — > List(eL.List(L)) — >■ List(eL.List(L)) 

let Z = (bl : List(L) with L — Nat list) in Z.cons x (Z.cons y a) 
in let hd2 a = : List(eL.List(L)) — >■ (Nat* Nat) option 

let Z = (bl ; List(L) with L = Nat list) in 
match (Z.hd a, Z.hd(Z.tl a) with 
Some X, Some y — >■ Some(a;, y) 

I _ none 

in let tl2 = . . . : List(eL.List(L)) — >■ List(eL.List(L)) 

in let Z = ({nil = (bl : List(L) with L = Nat list). nil; ; List(eL.List(L)) 

cons = fun x a match hd2 a with 

Some(n, x') where x = x' ^ cons2 (n + 1) a; (tl2 a) 

|_ — > cons2 1 a; a; 

. . . } with L = eL.List(L)) 

in(cons2 3 3 Z.nil) ; List(eL.List(L)) 



Fig. 1. An incremental example 



Pleasantly, the restriction to e* is embedded in the syntax. We need a well- 
formedness condition for the associations A: 

Definition 3. The list of associations A is well-formed if it is empty or is of the 
form A'; [Xi, . . . , X„|A] with A' well-formed, Xi , . . . , X^ pairwise distinct and 
not already hound in A! , and every type variable that occurs in A being either 
some Xi or bound in A'. Further, A,F is well-formed if A is well-formed and 
all type variables used in F are hound in A. 

The typing rules for judgements of the form A, F \- e : T are the ones of the 
simply typed A-calculus with the provision that A, F is well-formed. The typing 
rule for implementations is: 

Z\,The: A[Ti/Xi,...,T„/X„] [Xi,...X„\A] G Zi 

Arh(e|Xi=Ti...X„ = T„):A 

Here \Ti/Xx, . . . , T„/X„] represents parallel substitution. 

We can adapt the computation rules to this syntax, but the specifics are some- 
what complicated. We detail only a simple case in order to show how branding 
becomes apparent. Provided X\, . . . ,X„ do not appear in the remaining of the 
typing context, we have: 



C[(e|Xi = Tl . . . = T„)] ^ 

C[Ti/Xi , . . . , T„/X„, e/(*|Xi = * . . . = *)] [e] 



An important aspect of this rule is that linking of implementations no longer 
require any inefficient testing of type equalities. 
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5 An Incremental Example 

We can now study an example in more detail. Its code is given in Figure 1. For 
clarity, we have added the types of the main functions on the right-hand side. 
This example features another simple interface for lists, composed of the empty 
list, consing, and the head and tail functions. We have adopted an ML syntax 
(actually close to Caml) and we suppose the language supports primitive lists 
and pattern matching. The primitive empty list (respective primitive consing) is 
written [] (respectively a :: /). We also use records and an option type, both in 
a standard way. The record of the interface is abbreviated as List(L). The type 
of lists is thus £i.List(L). 

The example defines two possible instantiations for the type List(£L.List(L)). 
The first trivially packages the primitive implementation. The second is opti- 
mized for lists with many identical successive elements: for instance, [1; 1; 1; 4; 4] 
is represented by [3; 1; 2; 4]. 

Interestingly, the second implementation is built upon the first one. Thus 
£L.List(L) is linked successively to the two implementations during execution. 
Furthermore, the function cons2 is used in the definition of the optimized repre- 
sentation, and will thus behave in two different ways. This illustrates the possi- 
bility of using System £* for a form of incremental programming. 

The final result of the evaluation is [2; 3], which is the “optimized” repre- 
sentation of [3; 3]. In order to describe the evaluation concisely, we need some 
abbreviations. Let C 2 , b, and bl be the terms such that the program reads: 
List(L) = {nil : L; . . . } 
let bl = bl 
in let cons2 = C 2 
in let hd2 = . . . 
in let tl2 = . . . 

in let ^ = 6 in(cons2 3 3 Lnil) 

No linking takes place during the first steps of the evaluation; instead the 
four first let constructs are substituted, so that the program is then of the form: 

(let I = b \n (cons2 3 3 Lnil))[CT] 

where a stands for the successive substitutions [bl/h\] o [c 2 /cons 2 ] . . . 

Then comes the evaluation of b[a] which yields a first linking step: 

(let I = b \n (cons2 3 3 Lnil))[CT] I b[a] 

which is equal to: 



let I = b[a] I b[a] in ((cons2 3 3 /.nil) I b)[a] 

However b[a] I b[a\ is a record and the evaluation of its nil component involves 
a second linking; further reducing the let construct and the arguments of the 
function we reach: 



((cons2 3 3 [])H / ^[o’]) / {bl '■ List(L) with L = Nat list) 
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which is actually equal to: 

(c 2 [ 6 ^bl] I b[a]) I {{bl : List(L) with L = Nat list)) 3 3 [] 

Here, we see precisely that in the body of the first occurrence of cons2, lists 
are linked to the “optimized” implementation by b[a\. However inside the body 
of b[(j], lists are linked to the standard implementation by {bl : List(L) with L = 
Nat list). As a result, the function cons2 has two different behaviors, depending 
upon whether it is used inside or outside b. 

This example thus suggests that, in this setting, functions cannot simply be 
viewed as closures. It also raises the question of an efficient execution model for 
System £*. We omit our answer to that question. 

6 Parametricity, Termination, Conservativity (Sketch) 

We close the technical material of this paper with brief discussions of parametric- 
ity, of normalization, and of the logical strength of e. 



6.1 Conflict with Parametricity 

System F is parametric in the sense that computations do not depend on type 
information. On the other. System £ and System £* clearly lack parametricity. 
Specifically, we can find terms e[T/X] and e[T'/X] that yield different outputs: 

— Let e be the term 

{Xx'.X.x : X — >• A); (Ax:lnt.O : Int — ^ lnt)(l) 

(This term is well-typed as soon as we allow the use of type variables at all.) 

— e[lnt/A] yields 1. 

— e[Bool/A] yields 0. 

We have yet to investigate semantic models for calculi with e. The failure 
of parametricity suggests that such models might be rather different from the 
models of System F. 

6.2 Conflict with Normalization 

In extensions of System F, non-parametricity often conflicts with strong nor- 
malization. In particular, Girard studied a non-parametric combinator J and 
showed that its addition to System F breaks strong normalization [9]. Harper 
and Mitchell considered a related combinator J' which also breaks strong nor- 
malization despite having a more mundane type than J [11]. Both J and J' rely 
on testing type equalities at run-time. 

Using similar ideas, we can exhibit a non-terminating term which is well- 
typed in System £ with impredicative universal quantification. For brevity, we 
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do not detail the standard rules for universal types here, and we do not discuss 
which restrictions can preserve type soundness in the resulting calculus since our 
example presents no problem in that respect. 

Consider the following abbreviations: 

B = 'iX.X X ^ X (the type of booleans encoded in System F) 
mi = {Xx:X.\f:B.{f B//):X— >-B— s-B) q = mi, m 2 \ X ^ X ^ X 

m 2 = {\x:X.Xy:X.x : X ^ X ^ X) r = AX.q : B 

Since r I mi[B/Ai] = r and q^/X] I mi[B/Jf] = Aa;:B.A/:B.(/ B / /), the 
well-typed term (r B r r) reduces to itself in any weak call-by-value reduction 
strategy. 

An analogous term can be written without quantifiers or in programming 
syntax, but then we recover termination. The main open question on this subject 
is whether every well-typed term of System £* terminates with our operational 
semantics. The evidence thus far suggests that, if true, termination might be 
tricky to justify. 



6.3 Non-conservativity 

The addition of e is not conservative over intuitionistic second-order proposi- 
tional logic. Specifically, we can derive 3Z.{{3Z.A) — >• A[Z]) using e, but not 
otherwise. This property suggests that computation mechanisms beyond those 
present in intuitionistic systems might in general be necessary for programming 
languages with £ (much as happens for calculi based on classical logic). 

On the other hand, 3Z.{{3Z.A) — >■ A\Z]) is essentially all we get. We have 
obtained a compositional translation from our A-calculus with e to second-order 
A-calculus, which yields a term parameterized by variables of type BZ.((BA) — >■ 
A[Z]), for each eA implemented in the term. The type 3Z.{{3A) — >■ A\Z]) is a 
close relative of 3Z.{A[Z] — >■ (VA)), the drinker’s paradox (“there exists Z such 
that if Z drinks then everyone drinks”). The details of this translation, which 
extends to systems with quantifiers, are however beyond the scope of this paper. 

In particular, e does not yield the full power of classical logic. We cannot 
derive the classical drinker’s paradox, or the law of the excluded middle. (The 
operator e can be interpreted over a little 3-point Heyting algebra in which the 
law of the excluded middle fails.) 

7 Related and Further Work 

The literature contains much material on the choice operator, on abstract data- 
types, and on linking. Of course this material includes Hilbert’s original work. 
It also includes many more recent — and sometimes more exotic — developments. 
For instance, £ has been used in explaining natural-language quantifiers. In what 
follows, we discuss the research most closely related to ours. 

On the logical side, the most relevant research is that on the proof theory 
of logical systems with choice. In particular, Leisenring studied cut elimination 
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in a classical first-order logic with choice. Leisenring defined an order for re- 
solving choices that depended on a delicate system of ranks. Flannagan later 
discovered and corrected a flaw in Leisenring’s definition [8]. Mints also stud- 
ied the proof theory of choice, in particular for intuitionistic systems [16] (see 
also [17]). Leivant considered choice in intuitionistic arithmetic, where the ad- 
dition of choice quickly leads to a classical system [15]. Some other prior work 
is described for example in a recent encyclopedia article [1]. A general char- 
acteristic of this work is that it relies on proof transformations with sensible 
technical motivations but which do not necessarily correspond to sensible eval- 
uation strategies from a computing perspective, as indicated in section 3. 

On the computing side, choice is related to many familiar constructs and 
phenomena — such as dynamic linking, as we argue in this paper, and others 
discussed in the introduction. We are not however aware of any programming- 
language treatment of the choice operator. Recently, in intriguing unpublished 
work, J.-L. Krivine has been exploring the computational meaning of certain 
classical-logic formulas that express choice principles [13]. Formally, our systems 
are quite different, and Krivine tends to explain those formulas in terms of 
object-oriented programming (rather than linking). Despite such differences, we 
owe much to Krivine’s set-theoretic investigations in the late 1990s. 

Considering that the choice operator can often be seen as syntactic sugar, 
one might imagine that proof theory and type theory would hardly be affected 
by the introduction of this operator. One might at least expect to transfer results 
from systems with quantifiers. This point of view is unfortunately simplistic. In 
particular, eX.A can be encoded as A[true/A] or as -'A[false/A] in classical 
propositional logic [18]; these trivial encodings preserve provability, but they do 
not capture computational behavior, and they hardly give us new type systems. 

Focusing on computation and types, this paper defines and studies a pro- 
gramming calculus with a choice operator. This investigation suggests much 
further work. This work includes syntax exploration as hinted in section 4.3 but 
also extension with other familiar programming-language constructs, such as 
subtyping, recursion, and mutable references. Another interesting track is to un- 
derstand how the use of choice may be liberalized, relaxing restrictions adopted 
in this paper. Finally, it would be worthwhile to reconsider the role of choice 
in the context of mainstream programming systems — both explaining present 
systems in logical terms and enriching those systems. 
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Abstract. Soft linear logic ([Lafont02]) is a subsystem of linear logic 
characterizing the class PTIME. We introduce Soft lambda- calculus as a 
calculus typable in the intuitionistic and affine variant of this logic. We 
prove that the (untyped) terms of this calculus are reducible in polyno- 
mial time. We then extend the type system of Soft logic with recursive 
types. This allows us to consider non-standard types for representing 
lists. Using these datatypes we examine the concrete expressiveness of 
Soft lambda-calculus with the example of the insertion sort algorithm. 



1 Introduction 

The advent of global computing has increased the need for formal bounds on the 
use of resources by programs. This issue arises is a variety of situations like when 
running code originating from untrusted source or in settings where memory or 
time is constrained, for instance in embedded or synchronous systems. 

Some cornerstones have been laid by the work in Implicit Computational 
Complexity (ICC) carried out by several authors since the 1990s ([16,17,6] among 
others) . This field aims at studying languages and calculi in which all programs 
fall into a given complexity class. The most studied case has been that of deter- 
ministic polynomial time complexity (PTIME class). 

We can in particular distinguish two important lines of work. The first one 
deals with primitive recursion and proposes restrictions on primitive recursion 
such that the functions definable are those of PTIME: this is the approach of safe 
or ramified recursion ([6,16]) and subsequent extensions ([13,7]). Another line is 
that of Linear logic (LL)([9]). The Curry-Howard correspondence allows us to 
see proofs in this logic as programs. Linear logic provides a way of controlling 
duplication of arguments thanks to specific modalities (called exponentials). It is 
possible to consider variants of LL with alternative, stricter rules for modalities, 
for which all proofs-programs can be run in polynomial time. 

Light linear logic, introduced by Girard ([10]) is one of these systems. It 
has been later simplified by Asperti into Light affine logic ([3]) which allows 
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for arbitrary erasing. However formulas in this system are quite complicated as 
there are two modalities, instead of just one in Intuitionistic linear logic, which 
makes programming delicate (see [2,4]). More recently Lafont has introduced 
Soft linear logic (SLL) ([15]), a simpler system which uses the same language of 
formulas as Linear logic and is polytime. It can in fact be seen as a subsystem 
of Linear logic or of Bounded linear logic ([11]). A semantics for SLL formulas 
has been proposed in [8] and some expressiveness properties have been studied 
in [19]. 

For each of these systems one shows that the terms of the specific calculus 
can be evaluated in polynomial time. A completeness result is then proved by 
simulating in the calculus a standard model for PTIME computation such as 
PTIME Turing machines. It follows that all PTIME functions are representable 
in the calculus, which establishes its expressiveness. This does not mean that all 
algorithms are directly representable. For instance it has been observed that some 
common algorithms such as insertion sort or quicksort cannot be programmed in 
a natural way in the Bellantoni-Cook system (see for instance [12]). Important 
contributions to the study of programming aspects of Implicit computational 
complexity have been done in particular by Jones ([14]), Hofmann ([12]) and 
Marion ([18]). 

In the present work we investigate the ideas underlying SLL and their ap- 
plication to programming. In [15] SLL is defined with sequent-calculus and the 
results are proved using proof-nets, a graph representation of proofs. In order to 
facilitate the study of programming we define a specific calculus. Soft lambda- 
calculus (SLC) which can be typed in Soft linear (or affine) logic, thus providing a 
term syntax for this logic. We show that the untyped version of this calculus sat- 
isfies the property of polynomial strong normalization: given a term, the length 
of any reduction sequence is bounded by a polynomial of its size. This general- 
izes the property of polynomial strong normalization of SLL from [15] (actually 
it was already pointed out by Lafont that the result would apply to untyped 
proof-nets). Our calculus is inspired from Terui’s Light affine lambda-calculus 
([20]) which is a calculus typable in Light affine logic and with polynomial strong 
normalization. 

As untyped SLC already enjoys polynomial reduction we can then consider 
more liberal type systems allowing for more programming facilities. We propose 
a type system extending Soft affine logic with recursive types. We finally examine 
how this system enables to define new datatypes which might allow representing 
more algorithms. We illustrate our approach on the example of lists and the 
insertion sort algorithm. 



2 Soft lambda-Calculus 

The introduction of our calculus will be done in two steps (as in [20]): first we 
will define a grammar of pseudo-terms and then we will distinguish terms among 
pseudo-terms. The pseudo-terms of Soft lambda-calculus (SLC) are defined by 
the grammar: 
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t, t' ::= X I \x.t I {t t') I H \ let f be \xiYit' 

Given a pseudo-term t we denote by FV (t) its set of free variables and for a 
variable x by no(x, t) the number of free occurrences of a; in t. A pseudo-term 
of the form let u be !x inti is called a let expression and the variable x in it is 
bound: 

Fy(letube!xinti) = FV{u) U Ft^(ti)\{a;} . 

If and respectiv^ denote finite sequences of same length (ti, . . . ,t„) 
and (xi, . . . , Xn), then let t be lit in t' will be an abbreviation for n consecutive 
let expressions on tiS and XiS: let ti be !xi in let t 2 be !x 2 in . . . t' . In the case where 
n = 0, let be lit int' is t' . 

We define the size |t| of a pseudo-term t by: 

|x| = 1, \Xx.t\ = \t\ + l, \{ti t 2 )\ = \tl\ + \t 2 \, 

|!t| = |t| -I- 1, jletti be!xint 2 | = |G| + \t 2 \ + 1- 

We will type these pseudo-terms in intuitionistic soft affine logic (ISAL). The 
formulas are given by the following grammar: 

T ::= a I T ^ T I Va.T | ! T 

We choose the affine variant of Soft linear logic, which means permitting full 
weakening, to allow for more programming facility. This does not change the 
polytime nature of the system, as was already the case for light logic ([3]). 

We give the typing rules in a sequent calculus presentation. It offers the 
advantage of being closer to the logic. It is not so convenient for type-inference, 
but it is not our purpose in this paper. The typing rules are given in Figure 1. 



X : A\- X : A 



(variable) 



r \- t ■. A A,x : A\- u : B 
r,A\- u[t/x] : B 



(cut) 



r,x:A\-t:B , ^ B,x ■. B h t : C Ah u : A ^ 

— — r T — (right arrow) i — v; (left arrow) 

r h Xx.t : A ^ B '' r, A,y : A —o B \- t[(yu)/x] : C 



r\-t-.B 
r,x : A t : B 



(weak.) 



X : A[C/a\, r \- t : B 
X : Va.A, r \- t : B 



(left V) 



x\ : A,. .. ,Xn : A, r t : B 
y : \A,r\-\etyhelxint[x/xi,..., Xn\ '■ B 
xi : Ai, ... ,Xn : An h t : B 



yi : !Ai, . . . ,yn ■ I An let ~t be lit in \t : \B 
rht: B 



(mplex) 

(prom.) 



r h t : Va.B 



(right V) (*) 



Fig. 1. ISAL typing rules 

For (right V) we have the condition: (*) a does not appear free in F . 
Observe that the let expression is used to interpret both the multiplexing 
(mplex) and the promotion (prom.) logical rules. We could distinguish two dif- 
ferent kinds of let but we prefer to have a small calculus. 
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For instance one can consider for unary integers the usual type of Linear logic: 
N = Va.!(a —oa)—oa—oa. The integer n is represented by the following 
pseudo-term of type N, with n occurrences of s': 

As. Ax. let s be !s' in (s' (s' (s' . . . x) . . .) 

Among pseudo-terms we define a subclass of terms. These will be defined in- 
ductively together with a notion of temporary variables. The temporary variables 
of a term t, TV{t), will be part of the free variables of t: TV{t) C FV{t). 

Definition 1. The set T of terms is the smallest subset of pseudo-terms such 
that: 

1. X G T; then TV{x) = 0; 

2. Xx.t G T iff: X TV{f), t g 7~ and no{x,f) ^ 1; 
then TV (Xx.t) = TV ft); 

3. {h h) G r iff: h,t 2 G r, TV{h) n FV{t 2 ) = 0, FV{F) n TVit^) = 0; 
then TV{{ti t 2 )) = TV{ti) U TV{t 2 ); 

4 . It G T iff: t gT, TV{f) = 0 and\/x G FV{t),no{x,t) = 1; 
then TV{H) = FVff); 

5. letti be\xint 2 GTiff:h,t 2 G T, TV{ti)(lFV{t 2 ) = 0, FV{ti)(lTV{t 2 ) = 0; 
then TVfletti be\xint 2 ) = TVfti) U {TV ft 2 )\{x}) . 

Basically the ideas behind the definition of terms are that: 

— one can abstract only on a variable that is not temporary and which has at 
most one occurrence, 

— one can apply ! to a term which has no temporary variable and whose free 
variables have at most one occurrence; the variables then become temporary; 

— the only way to get rid of a temporary variable is to bind it using a let 
expression. 

It follows from the definition that temporary variables in a term are linear: 

Lemma 1. If t is a term and x G TV(t), then no{x,t) = 1. 

The definition of depth will be useful later when discussing reduction: 

Definition 2. Let t be a term and u be an occurrence of subterm oft. We call 
depth of u in t, d{u,f) the number d of subterms v of t such that u is a subterm 
of V and v is of the form \v' . The depth d{f) of a term t is the maximum of 
d{u,t) for u subterms oft. 

For instance: if t = !(A/.Ax.let / be !/' in !u) and u={f'x), we have d{u,t) = 2. 
We can then observe that: 

Proposition 1. Let t be a term. If x belongs to FV{t) and xq denotes an oc- 
currence of X in t, then d{xo,t) ^ 1. Moreover all occurrences of x in t have the 
same depth, that we can therefore denote by d{x,t), and we have: d{x,t) = 1 iff 
X G TV ft). 



We will consider a subclass of terms: 
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Definition 3. A term t is well-formed if: 

TV ft) = 0 and Va; G FV{f), no{x,f) = 1. 

Note that to transform an arbitrary term into a well-formed one, one only needs 
to add enough let expressions. Actually the properties we will prove in section 
3 are valid for terms and the notion of well-formed terms is introduced only 
because these are the terms that can be duplicated during reduction. We have 
the following properties on terms and substitution: 

Lemma 2. If t is a term and t = Iti, then t\ is a well-formed term. 

Lemma 3. If we have: (i) t, u terms, (ii) TV{u) = 0, (Hi) x ^ TV{t), and 
(iv) FV{u) ATV{t) = 0, then: t[u/x] is a term and TV{t[u/x\) = TV{t). 

We can then check the following: 

Proposition 2. If t is a pseudo-term sueh that in ISAL we have F \- t \ A, 
then t is a well-formed term. 

Proof. We prove by induction on the ISAL derivation T> the following statement: 
i.h.(T>): if the conclusion ofVisF\-t:A then: t is a term, TVff) = 0 and 
Vx G F, no{x, t) < 1. 

All the cases of the induction follow directly from the application of definition 
1 except (cut), (left arrow), (mplex) for which we also use lemma 3. 

However not all well-formed terms are typable in ISAL: t = Ax. let xbe !y in (y y) 
for instance is a well-formed term, but is not ISAL typable. 

We will also need in the sequel two variants of lemma 3: 

Lemma 4. If we have: (i) t, u terms, (ii) x ^ TV{f), (Hi) no{x,t) = 1, 

(iv) FV (u) n TV (t) = 0, (v) TV (u) fl FV (t) = 0, then: t[u/x] is a term and 
TV{t[u/x]) = TV{t)ATV{u). 

Note that the main difference with lemma 3 is that we have here the assumption 
no(x, t) = 1. 

Lemma 5. If we have: (i) t is a term and u is a well-formed term, (ii) x G 
TV(f), (Hi) FV{u) n FV{t) = 0, then: t[u/x] is a term and TV{t[u/x\) = 
TV{t)\{x}\JFV{u). 

We now consider the contextual one-step reduction relation — defined on 
pseudo-terms by the rules of Figure 2. These rules assume renaming of bound 
variables so that capture of free variables is avoided in the usual way. The rules 
(coml) and (com2) are the commutation rules. The relation — >■ is the transitive 
closure of — . 

We have: 

Proposition 3. The reduction is well defined on terms: if t is a term and 
t t' then t' is a term. Moreover: 

- FV(t') C FV{f) and TV{t') C TV{f), 

— if t is well-formed then t' is well-formed. 
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(/?): {{Xx.t) u) — t\u/x] 

(!) : let lubeixint t\u/x] 

(coml): let (let be !«/ int 2 ) be la: ints — let ti be !y in (let t 2 be la; ints) 
(com2): (let ti be la; int2)t3 — let ti be lx in (t 2 is) 



Fig. 2. Reduction rnles 



Proposition 4 (local confluence). The reduction relation — on terms is 
locally confluent: ift — andt — t '2 then there exists t' such thatfl — >■ t' 
and t '2 — 1- t' . 



3 Bounds on the Reduction 



We want to find a polynomial bound on the length of reduction sequences of 
terms, similar to that holding for SLL proof-nets ([15]). For that we must define 
a parameter on terms corresponding to the maximal arity of the multiplexing 
links in SLL proof-nets. 



Definition 4. The rank rank{t) of a term t is defined inductively by: 
rank{x) = 0, rank{\f) = rank(t), 



rank(Xx.t) = rankft), 
rank{letu be lx inti) = 



rank{{ti t 2 )) = max(ranA:(ti), ran/c(t2)), 
ma,x{rank{u),rank{ti)) if x € TVfti), 

ma,x{rank{u),rank{ti),no{x,ti)) if x ^ TVfti). 



The first case in the definition of r ank {let u he lx inti) corresponds to a pro- 
motion, while the second one corresponds to a multiplexing and is the key case 
in this definition. 

To establish the bound we will adapt the argument given by Lafont for proof- 
nets. First we define for a term t and an integer n the weight W (t, n) by: 



W{x,n) = 1, 

w\Xx.t,n)= VF(t,n)-|-l, W{{tit 2 ),n) = W{ti,n) + W{t 2 ,n), 

W{lu,n) = nW(u,n) + l, Wiletuhelxinti.n) = W{u,n) + W{ti,n). 



We have the following key lemma: 

Lemma 6. Let t be a term and n ^ rankff) . 

1. ifx^TV{t) and no{x , t) = k , then: W{t[u/x],n) ^ W{t,n) + kW{u,n). 

2. ifxGTV{t) then: W{t[u/x],n) ^W{t,n) + nW{u,n). 



Proposition 5. Let t be a term and n > rank{t). Lf t — t' by a {(3) or (!) 
reduction rule then W{t',n) < W{t,n). 

Proof. If t A t' with a = (fl) or (!) then there is a context C and a redex r 
such that t = C[r], t' = C[r'] and r ^ r' . 





Soft lambda-Calculus: A Language for Polynomial Time Computation 



33 



We prove the statement by induction on the context C, for a given n > 
rank{t). Let us consider the basic case of the empty context, i.e. t = r using the 
definitions of terms and rank, and lemma 6: 
for instance for a (!) reduction rule, 
r = let lube la; in ri, r' = ri[u/x\ 

W{r, n) = LL(let lube !a;inri, n) = n.W{u, n) + \ + W{ri,n)' 

If a; G TViri) then by lemma 6 W(r',n) < W(r,n), otherwise we have 
X G FV{ri)\TV{ri) and: 

W{r' ,n) < W{ri,n) + no{x,ri).W {u,n) 

^ W{ri,n) + ranker) .W (u, n) 

^ W(ri,n) + n.W{u,n) < W(r,n) . 

The case of a (/3) reduction is easy. 

The induction on C is straightforward, using in the case C = ICi the fact 
that n ^ 1 as we have the strict inequality n > rank{t). 

For the commutation rules we have W{t' ,n) = W{t,n). So we need to use a 
measure of the commutations in a reduction sequence to be able to bound the 
global length. We make an adaptation of the weight used in [20]. 

Given an integer n and a term t, for each subterm occurrence in t of the form 
ti = let u be lxint 2 , we define the measure of t\ in t by: 

= W{t,n) — W{t 2 ,n) 

and M{t,n) the measure of t by the sum of m{ti , t) for all subterms ti of t which 
are let expressions. 

Proposition 6. Lett he a term and n > rank{t). Ift — t' by a commutation 
reduction rule then M{t',n) < M{t,n). 

Given a term t we denote by nlet{t) the number of subterm occurrences of 
let expressions in t. 

Lemma 7. Let t be a term and n ^ 1. We have nlet{t) < IF(t,n) — 1. 
Proposition 7. Lf t is a term and p = d{t), k = W{t, 1), and n ^ 1 then: 

W{t,n) < k.n^ 

Theorem 1. [Polynomial strong normalization] 

For any integer d there is a polynomial Pd (with degree linear in d) such that: 
for any term t of depth d, any sequence of reductions oft has length bounded 

by Pd{\t\). 

Proof. Let t be a term of depth d and n > rankff). We will call round a sequence 
of reductions and proper round a non empty sequence of {(3) and (!) reductions. 

If t A- t' then there is an integer I such that cr can be described by an 
alternate sequence of commutation rules rounds and proper rounds as follows: 

(com) (/?),(!) (com) (/3),(!) (com) 

t = ti t2 — >■* ts . . . t2i+2 ^2z+3 ■ • ■ ^21+1 ^2/+2 = 
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Remark that the alternate sequence starts and finishes with a commutation 
rules round. The sequence a contains I proper rounds. Because each such round 
strictly decreases the weight of t (Prop. 5) and the commutation rules leave the 
weight unchanged we have I ^ W{t,n). Moreover the length of all proper rounds 
in a is bounded by W{t,n). 

On the other hand we have by definition and lemma 7: 

M{t',n) < nlet{t').W{t' ,n) < — W{t',n) < {W{t,n))‘^ — W(t,n) . 

There are at most {I + 1) commutation rules rounds, so by Prop. 6 the length 
of all such rounds is bounded by {I + 1).{{W {t, n))^ — W {t, n)). Then we deduce: 

|(j| < (I + - W{t,n)) + W{t,n) < {W{t,n)Y 

Finally this result can be applied to any n > rank{t). One can check that for 
any pseudo-term t we have |t| > rank{t). Consider n = |t|, by Prop. 7 we obtain 
that 

where d = d{t). 

Remark 1. If a term t of depth d corresponds to a program and u to an argument 
such that d{u) ^ d, then (t u) normalizes in at most Qd{\u\) steps for some 
polynomial Qd- 

by the previous theorem if {t u) t' then \a\ < (|t| -I- because 

d{{t u)) = d{t) = d. Let Qd{X) be the following polynomial : 

Qd(X) = (X+|t|)30+i). 

Note that theorem 1 shows that the calculus is strongly polytime in the sense 
of [20]: there exists a polynomial bounding the length of any reduction sequence 
(no matter the reduction strategy). An obvious consequence is then: 

Corollary 1 (Strong normalization). The terms of soft lambda calculus are 
strongly normalizing. 



Corollary 2 (Confluence property). If a term t is such that t ^ u and 
t ^ V then there exists a term w such that u ^ w and v ^ w. 

Proof. By local confluence (Proposition 4) and strong normalization. 



4 Extension of the Calculns 

Thanks to full weakening, the connectives ® and ©, (as well as & and 3) and 
the constant 1 are definable from {^,V} ([3], [21]): 

A® B = Va.((A ^ B ^ a) —o a) 1 = Va.(a ^ a) 

A(B B = Va.((A —oa)^(B^a)—oa) 
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r,xi ■. A\,X2 A2\- t : B 
-T, x : Ai (g) Aa H let x be xi (g xa in t ; B 



(left (g) 



r h t : A 



Bi \- ti : Ai -Ta b ta : Aa 
Bi,r2 h fi (g ta : Ai (g Aa 



(right (g) 



(right ©i) 



(right ©a) 



r\- inl(t):A©B inr(t) : A © B 

r, xi : Ai \- ti •. B r, X2 '■ A 2 12 ■■ B 
-T, a: : Ai © A2 I- case x of inl(a;i) => ti | inr(x2) ^ t 2 B 



Fig. 3. Derived rules 



the typing rules of ISAL and 






X : yX.A, r \- t : B 


(left unfold) 


r\-t: yX.A 


(right unfold) 


x : A[p.X.A/X],r\- t : B 


r\-t: A[fiX.A/X] 


x : A[fiX.A/X],r\- t : B 


(left fold) 


r\-t: A[p.X.A/X] 


(right fold) 


x : yX.A, r \- t : B 


r\-t: yX.A 



Fig. 4. ISALF typing rules 



We use as syntactic sugar the following new constructions on terms with the 
typing rules of Figure 3 (we follow the presentation of [1]): 

{t\ ® t.2), let u be xi 0 X2 in t, 

inl(t), inr(t), case u of inl(x) ti \ inr(y) <2 1 

We denote by 1 the closed term of type 1. The derived reduction rules for 
these constructions are: 

let (ti ® ^2) be 0 X2 intt -A u[ti/a;i, ^2/2^2] 

case inl(tt) of inl(a;i) t\ \ inr(x2) t2 — >■ ti[u/xi] 

case inr(M) of inl(a;i) ti | inr(a:2) ^2 — >■ t2[u/x2] 

dc. f 

We also use as syntactic sugar, for x a variable: let u be a: in t = {{Xx.t) u). 
We now enlarge the language of types with a fixpoint construction: 

T ::= a I T ^ T I Va.T | ! T | fxa.T 

We add the corresponding typing rule and denote by ISALF, intuitionistic light 
affine logic with fixpoints, the new system: Figure 4. 

Proposition 8. If t is a pseudo-term typahle in ISALF then t is a well-formed 
term. 

Proof. One simply extends the inductive proof of Prop. 2 to ISALF derivations. 
We have four new rules to consider but as the i.h. does not make any use of the 
types in the judgement these cases are all trivial. 

Proposition 9 (Subject reduction). If we have in the system ISALF F \- t \ 
A and t ^ t' then F \- t' : A. 

Basically this result follows from the fact that as a logical system ISALF admits 
cut-elimination . 
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Note that even though we have no restriction on the types on which we take 
fixpoints, the typed terms are always normalizable and have a polynomial bound 
on the length of their reduction. This follows from the fact that the polynomial 
termination result (Theorem 1) already holds for untyped terms. 

In the following we will handle terms typed in ISALF. Rather than giving the 
explicit type derivations in the previous system, which is a bit tedious because 
it is a sequent-calculus style presentation, we will use a Church typing notation. 
The recursive typing rules and second-order rules will be left implicit. From this 
notation it is possible to reconstruct an explicit type derivation if needed. Here 
is an example of typed term (integer 2 in unary representation) 

As!(“^“).Ax“.letsbe!s'in(s' (s' x))“ : N . 

5 Datatypes and List Processing 

5.1 Datatypes for Lists 

Given a type A, we consider the following types defining lists of elements of A: 

C{A) = Va.!(A —oa—oa)—oa—oa, L{A) = /rA.(l © (A 0 A)). 

The type C{A) is the adaptation of the usual system F type for lists. It 
supports an iteration scheme, but does not enable to define in SLC a cons 
function with type C{A) ^ A ^ ^(Al)- This is analog to the fact that N does 
not allow for a successor function with type N ^ N ([15]). 

The type L{A) on the contrary allows to define the usual basic functions on 
lists cons, tail, head, but does not support iteration. The empty list for type 
L{A) is given by e = inl(l) and the basic functions by: 

cons = . inr(a © 1) : L{A) —oA—o L{A) 

tail = Xl^^^\case I ofinl{l') inl(Z') 

I inr(l') let be a © ?" in I" : L{A) L{A) 
head = \l^‘'^\case I of inl(l') ag 

I inr(l') letZ'bea© ?"ina : L{A) ^ A 

where ag is a dummy value returned by head if the list is empty. We would like to 
somehow bring together the advantages of £(A) and L(A) in a single datatype. 
This is what we will try to do in the next sections. 



5.2 Types with Integer 

Our idea is given a datatype A to add to it a type iV so as to be able to iterate 
on A. The type IV © A would be a natural candidate, but it does not allow for 
a suitable iteration. We therefore consider the following type: 

iV[A] = Va.!(a —oa)—oa—o(A0a) 
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Given an integer n and a closed term a of type A, we define an element of 
N[A]-. 

n[a] = G let s be !s' in (s' s' .. . s'a;)“) : N[A] 

where s' is repeated n times. 

We can give terms allowing to extract from an element n[a] of type IV [^] 
either the data a or the integer n. 



extractd : N[A\ ^ A extractint : ^ fV 



For instance: 

extractd = .let (p id°'^°‘) be a"'' G r“ in a , 

where id is the identity term and (3 = a a. 

However it does not seem possible to extract both the data and the integer 
with a term of type fV[H] —°N®A. On the contrary from n and a one can build 
n[a] of type N[A]: 

build = At.let t ben O ain Xs.Xx.(a 0 (n s x)) : N 0 A —o iV[H] . 

We can turn the construction N[.] into a functor: let us define the action of 
N[.] on a closed term f : A —o B hy 

N[f] = Ap^[^l.As'(“^“).Aa;“.let (p s be a O r in ((/ a)^ 0 r“) . 

Then N[f] : ^ N[B], and N[.] is a functor. 

We have the following principles: 

absorb : iV[A] 0 B ^ N[A 0 B] , out : N[A ^ B] ^ {A —o N[B]) . 

The term absorb for instance is defined by: 
absorb = At'^[^l®^.As'^“^“).Aa:“.let tbep O bin 

let (p s a;) be a O r in (a O & O . 



5.3 Application to Lists 

In the following we will focus our interest on lists. We will use as a shorthand 
notation L'{A) for N[L{A)]. The terms described in the previous section can be 
specialized to this particular case. 

In practice here we will use the type L'{A) with the following meaning: the 
elements n[l] of L'{A) handled are expected to be such that the list I has a length 
inferior or equal to n. We will then be able to do iterations on a list up to its 
length. 

The function erase maps n[l] to n[e] where e is the empty list; it is obtained 
by a small modification on extractint. 



erase : L'{A) -o L' {A) 

erase = Ap^'('^).As’(“^“).Ax“.let (p s x) be 0 r“ in 0 r“) 
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We have for the type L'{A) an iterator given by: 

Iter : Va.!(a —oa)—oa—o L'{A) —o (L{A) 0 a) 

Iter = F e) 

If F has type B ^ B, e type B and F has free variables it then if / = 
{Iter (let be !'af in IF) e) we have: 

{f n[l]) — >• / 0 (let be I'^in (_F . . . (_F e) . . .), 

where in the r.h.s. term F is repeated n times. Such an iterator can be in fact 
described more generally for any type iV[A] instead of N[L{A)]. 

Using iteration we can build a function which reconstructs an element of 
L'{A); it acts as an identity function on L'{A) but is interesting though because 
in the sequel we will need to consume and restore integers in this way: 

U = let sbe in !(Ar“.(s'r)“) : !(a ^ a), with i^U(i^) = 

reconstr = Xp^ ^^\Xs'^°^^°‘\Xx°‘ .{Iter F x p) : L'{A) L'{A) 

Given terms t : A ^ B and u : B ^ C we will denote by t; m : ^ ^ C the 
composition of t and u defined as {Xa^.{u {t a))). 

Finally we have the usual functions on lists with type L'{A), using the ones 
defined before for the type L{A): 

tail' = N[tail] : L'{A) ^ L'{A) 

head' = N[head]; extractd : L'{A) A 
cons' = N[cons\] out \ L' {A) ^ A ^ L' {A) 

Note that to preserve the invariant on elements of L'{A) mentioned at the be- 
ginning of the section we will need to apply cons' to elements n[l] such that 
n ^ m + 1 where m is the length of 1. 

5.4 Example: Insertion Sort 

We illustrate the use of the type N[L{A)] by giving the example of the insertion 
sort algorithm. Contrarily to the setting of Light affine logic with system F 
like types, we can here define functions obtained by successive nested structural 
recursions. Insertion sort provides such an example with two recursions. We use 
the presentation of this algorithm described in [13]. 

The type A represents a totally ordered set (we denote the order by that 
we suppose to be finite for simplification. Let us assume that we have for A a 
comparison function which returns its inputs: 

A A A A ■., / ^ f (oo G Ol) if OQ ^ Ol 5 

comp: A® A^ A® A, with (comp ao m) ^ | ^ otherwise. 

The function comp can in fact be defined in SLC. 
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Insertion in a Sorted List 

Let ao be an arbitrary element of type A. We will do an iteration on type: 
B = L{A) ^ A ^ ® CK- The iterated function will reconstruct the integer 

used for its iteration. Let us take F : !(B —o B) with FV{F) = given 

by: 

F = let s be in 

case ? of inl(/i) let ((?!' e Oq) be T 0 r“ in 
{cons a 0 (s' r)“ 

I inr(^i) =i> let Zi be 6 ® Z' in 

let {comp a b) be oi 0 02 in 
let { 4 > I' 02) be Z" 0 r in 

{cons ai Z") 0 (s' r)“) 

Let e : S be the term e = (Six°‘). Note that FV{e) = {a;“}. 

Then we have: s : !a ^ a, a; : a h {Iter F e) : L'{A) —o L{A) 0 B. 

Finally we define: 

insert = Xp^ ^^\Xa^. As'(“^“^.Ax“. 

let {Iter F e p)FA)®B ^l(T) ^ jB ^ 
and get: insert : L'{A) A —o L'{A). 

Insertion Sort 

We define our sorting program by iteration on i? = L{A) 0 L'{A). The left- 
hand-side list is the list to process while the r.h.s. one is the resulting sorted list. 
Then F : \{B B) is the closed term given by: 

F = \{Xt^ let the ®p^ incase Zi of 
inl(Z2) ^ inl(Z2)®p 

I inr(Z2) let Z2 be a ® h in (^3 ® {insert p a)^ ) 

e = Z^i^i 0 {erase po)^ : B 
We then have: 

Z : L{A),po : L'{A) h {Iter F e) : L'{A) -o L{A) ® B 
So we define: 

presort = Xp^ ^^\Xp^ ^^\Xp2 ■ 

let {extractd Pi) be in 

let {Iter F e P2) be Z' ® Z" 0 p' inp' 

Using multiplexing we then get: 

sort = Xp'^ ("''i.letpbe !p'^ in {presort p' p' p')^ : \L'{A) -o L'{A) 

Remark 2 . More generally the construction N[.] can be applied successively to 
define the following family of types: = A, [A]]. 

This allows to type programs obtained by several nested structural recur- 
sions. For instance insertion sort could be programmed with a type of the form 
^ This will be detailed in a future work. 

5.5 Iteration 

We saw that with the previous iterator Iter one could define from F : B ^ B 
and e : B an / such that: (/ Z[n]) — >■ Z ® (let be !af in (F . . . (F e)...). 
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However the drawback here is that I is not used in e. We can define a new 
iterator which does not have this default, using the technique already illustrated 
by the insertion term. Given a type variable a, we set C = L{A) a. 

If (/ is a variable of type !(a ^ a), we define: 

G' = let5'(“^“)be!/in!(A6'^.A/^('^).(/ (6' 0))“ : \{C ^ C) 

Then: It = A(/’(“^“^.Ae^.Ap^'^'^).let {Iter G' p) ® in (/ li)°‘ 

It : Va.!(a ^ a) ^ {L{A) —oa)—o L'{A) a 

So if / = (It (let be !af in !F) XIq.c') we have: 

(f l[n]) -)> let‘^be!^in(F...(T’e'[V^o])---)) 
where in the r.h.s. term F is repeated n times. 



6 Conclusion and Future Work 

We studied a variant of lambda-calculus (SLC) which can be typed in Soft affine 
logic and is intrinsically polynomial. The contribution of the paper is twofold: 

(i) We showed that the ideas at work in Soft linear logic to control duplication 
can be used in a lambda-calculus setting with a concise untyped language. Note 
that the language of our calculus is simpler than those of calculi corresponding 
to ordinary linear logic such as in [5,1]. Even if the underlying intuitions come 
from proof-nets and Lafont’s results, we think that this new presentation will 
facilitate further study of Soft logic. 

(ii) We investigated the use of recursive types in conjunction with Soft logic. 
They allowed us to define non-standard types for lists and we illustrated the 
expressiveness of SLC by programming the insertion sort algorithm. 

We think SLC provides a good framework to study the algorithmic possibil- 
ities offered by the ideas of Soft logic. One drawback of the examples we gave 
here is that their programming is somehow too low-level. One would like to 
have some generic way of programming functions defined by structural recursion 
(with some conditions) that could be compiled into SLC. Current work in this 
direction is under way with Kazushige Terui. It would be interesting to be able 
to state sufficient conditions on algorithms, maybe related to space usage, for 
being programmable in SLC. 
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Abstract. A central question in the domain of program semantics and 
program verification is the existence of a complete inference system for 
assertions of the form tt |= meaning that program tt satisfies prop- 
erty ip. A stronger version of this question asks for an effective (de- 
cidable) complete inference system. We investigate these qnestions for 
cryptographic protocols focnsing on authentication and confidentiality 
properties. While it is not difficult to see that a complete and effective 
inference system cannot exist when an unbounded number of sessions are 
considered, we prove that such a system exists for bounded protocols. 
More, precisely 1.) we provide a complete weakest pre-condition calcu- 
lus for bounded cryptographic protocols and 2.) we show that assertions 
needed for completeness of the calculus are expressible in a decidable 
second order logic on terms. 



1 Introduction 

A central question in the domain of program semantics and program verification 
is the existence of a complete (and sound) inference system for assertions of the 
form IT \= ip meaning that program tt satisfies property p. A stronger version of 
this question asks for an effective (decidable) complete inference system. This is 
the question of the relationship between the truth of formulae of the form tt \= p 
and their provability. For While-programs (or counter machines), for instance, 
it has been proved that it is possible to design an inference system such that 
provability implies truth (i.e., soundness) but impossible to have a sound system 
that is also complete and effective, i.e., it is impossible to have a decidable infer- 
ence system such that truth implies provability (see [9] for a complete survey). 
Roughly speaking, the reason is that one can describe transitive closures using 
while programs while this is not possible in general in Ist-order logics except 
when Peano arithmetic is included. In other words, one has to sacrifice effec- 
tiveness (e.g., by including Peano arithmetic in the logic), or completeness and 
accept that some valid formulae t: \= p cannot be proved or even expressed. 
This situation of While-programs led to the what is called Cook’s relative com- 
pleteness: is it possible to have a complete inference system for programs, if we 
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assume all facts of the underlying logic as axioms, i.e., all facts about the consid- 
ered data are given? The main question we address in this paper is the following: 
what is the situation for cryptographic protocols ? 

Beyond the theoretic relevance of this question, it has several practical conse- 
quences. Indeed, if one can provide a complete inference system for cryptographic 
protocols this can serve as a basis to develop compositional proof theories as well 
as refinement theories. The latter would be of great interest as the problem of 
composing cryptographic protocols (CP for short), i.e., which properties are pre- 
served when CPs are composed, as well as the relationship between the abstract 
specification of a CP and its real implementation remain two insufficiently in- 
vestigated subjects (cf. [15]). Moreover, a decidable complete inference system 
provides a symbolic decision procedure. 

In this paper, we introduce a complete and effective inference system for 
bounded cryptographic protocols. Let us explain what we mean. A session of a 
cryptographic protocol can be specified as a sequence of sending and receiving 
messages. One can consider either fixed bounded number of sessions or an un- 
bounded one. In the first case, we speak about bounded protocols but in both 
cases the size of the messages is unbounded. It is not difficult to encode a counter 
machine as an unbounded CP. Hence, we know that it is not possible to have an 
effective complete (and sound) inference system. We show that such a system ex- 
ists for bounded protocols. This provides an alternative proof of the decidability 
of secrecy for bounded CPs and covers more properties than in existing work. We 
introduce a logic, called SPL for Security Properties Logic, for describing security 
properties and develop a calculus for computing the weakest condition that has 
to be satisfied by the initial configurations of the protocol in order to guarantee 
that a property described by an SPL formula is satisfied. We prove soundness 
and completeness for the introduced calculus. Then, we study the decidability 
of SPL and show that although the satisfiability (existence of a model) of SPL 
formulae is, in general, undecidable, it is decidable for its existential fragment, 
i.e., the satisfiability of formulae of the form 3X.(p, where (p is quantifier- free 
can be decided effectively (Section 6). Now, it turns out that interesting security 
properties are expressible in the universal fragment of the logic (see Section 3.3) 
and that the weakest precondition of a universal formula is expressible as a uni- 
versal formula (Section 5). Hence, given a protocol tt and a property p, using 
the calculus one can compute a formula wp{tt, p) such that there is an attack 
starting for an initial state satisfying i/' iff -'wp{'jT,(p) A tp is satisfiable. Thus, if 
Ip is given in the existential fragment, which is the interesting situation, one can 
effectively check whether ~'wp{Tr, (p) A ip is satisfiable. 

Related work. The results of this paper provide an algorithm for checking security 
properties (confidentiality and authentication) of cryptographic protocols. It has 
several interesting aspects: 

1. it covers other properties than confidentiality (secrecy); indeed while other 
methods rely on an ad hoc reduction of authentication properties to secrecy, 
our method is directly applicable. 
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2. as initial configurations are described by formulae of the introduced logic, 
it can deal with infinite non-regular sets of messages initially known by the 
intruder. 

3. we believe that our method is more easily amenable to extended intruder 
models: in a full version, we also consider cipher block chaining. 

While several methods have been designed for the verification of a fixed 
number of sessions [18,1,3,16,12,7,8] to our knowledge it has not been previ- 
ously proven that a decidable and complete inference system for cryptographic 
protocols exists. 



2 Preliminaries 

Let X be a countable set of variables and let be a countable set of function 
symbols of arity i, for every z G N. Let F = IJigN terms over X 

and F is denoted by T{X, F). We denote by < the subterm relation on T{X, F). 
As usual, function symbols of arity 0 are called constant symbols. Ground terms 
are terms with no variables. We denote by F{F) the set of ground terms over 
F. For any t\,t 2 G T{X,F), we denote with fi{ti,t 2 ) the most general unifier 
(shortly mgu) of ti and t 2 , if it exists. More precisely, by fi{ti,t 2 ) we denote the 
representation of the mgu of t\ and ^2 as a conjunction of equalities of the form 
X = t, if it exists. If it does not exist then ^{ti,t 2 ) should be the constant false 
(falsum). We write ti ~ if ti and t 2 can be unified. Also, for any substitution 
cr : X — >• T{X,F), we denote by ta the application to t of the homomorphic 
extension of a to terms. Given a set x of variables, we denote by F{x) the set 
consisting of ground substitutions with domain x. We also write F(x) instead of 
F{{x}). 

Henceforth, we tacitly identify the term t with its tree representation Tr(t). 
The elements of dom{t) are called positions in t. We use ^ to denote the prefix 
relation on to*. We write t{p) to denote the symbol at position p in t and t\p to 
denote the subterm of t at position p, which corresponds to the tree t\p{x) = 
t{p ■ x) with X G dom{t\p) iff p ■ x € dom{t). Given a term t and positions p and 
q, we say that fp dominates t^g if p ^ q. 

If wi,W 2 G X* are words over an alphabet X, then we denote by wf^wi the 
word obtained from w\ after removing the prefix W 2 , when possible. Otherwise, 
wf^wi is undefined. 



3 The Protocol and Intruder Model 

We describe in this section the model of cryptographic protocols used in this 
work. We mention that this model is by now a standard one used, for instance, 
in [4]. We begin by describing the messages involved in a protocol model. 
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3.1 Messages 

The set of messages is denoted by A4 and contains ground terms constructed 
from constant symbols and the function symbols encr : A4 x /C — >■ A4 and 
pair : Ai X Ai ^ Ai, where /C is a set of keys. Constant symbols are also called 
atomic messages and are defined as follows: 

1. Principal names are used to refer to the principals in a protocol. The set of 
all principals is V . 

2. Nonces can be thought as randomly generated numbers. As their values are 
unpredictable, they are used to witness the freshness of a message. We denote 
by N the set of nonces. 

3. Keys are used to encrypt messages. If fc is a key then we use k~^ to denote 
its inverse. Moreover, we use pbk{A) to denote the public key of A. 

For the sake of simplicity we leave out signature and hash functions but we can 
easily handle them in our model. 

Let A = PUAfUfC and A = MU {encr, pair}. As usual, we write {mi, m 2 ) for 
pair(mi,m 2 ) and {m}k instead of encr(?n, k). Message terms are the elements 
of T{X,A), that is, terms over the atoms A, a set of variables X and the binary 
function symbols encr and pair. Messages are ground terms in 'T{X,A), i.e, 
A4 = T{A). For conciseness, we write T instead of T{X,A). 

We assume the Dolev-Yao model [10]. For obvious reasons, we refrain from 
recalling the model here. We use the by now standard notation if h m to denote 
the fact that the intruder can derive the message m from the set E of messages. 
A derivation of a message that does not decompose any message is denoted by 
E he m. We write E h M, if if h m holds for every m G M. 

For a term t, we use the notation if 1/ t to denote that no instance of t is 
derivable from if, that is, for no substitution a : X ^ Ai, we have E h ta. 

We now define critical and non-critical positions in a message. The idea is 
that since there is no way to deduce from an encrypted message the key with 
which it has been encrypted, the key position in messages of the form encr(m, k) 
is not critical^. Formally, given a term t, a position p in i is called non-critical, 
if there is a position q such that p = q - 2 and t{q) = encr; otherwise it is called 
critical. We will also use the notation s €c m to denote that s appears in m at a 
critical position, i.e., there exists p G dom(m) such that p is critical and mjp = s. 

3.2 Process Model 

Actions are defined by: 




where t G T is a term, I, V are labels and x C var is a set of variables. An action 
is an output, an input, an assignment or just an equality test. In the case of an 

^ For the insider, the critical position corresponds, for instance, to the subterm relation 
in the strand space model [11,20]. 




46 



L. Bozga, C. Ene, and Y. Lakhnech 



input, X denotes the variables that are instantiated by the action. The set of ac- 
tions is denoted by Act. A protocol is represented by a set of sequences of actions. 

More precisely, a protocol II is given by o.\ - ■ ■ a^., where a* = 
for some /3j with j G {1, . . . , nj}. Here, the labels £ represent control points and 
^ is the usual non-deterministic choice. This corresponds to the representation 
of a fixed set of sessions put in parallel by their possible interleavings. Usually, 
we use the more intuitive notation: ' ' ' ^ruPhi^hi+i- 

A configuration of a protocol run is given by a triple (ct, E,£j) consisting of 
a substitution cr, a set of messages E and a control point The operational se- 
mantics is defined as a labelled transitional system over the set of configurations 
Conf. The transition relation {a,E,£)) {<^',E', is defined as follows: 

— {ct,E,£]) i<^,EU{ta},£]+i), if J < and a = A- That is, send- 

ing the message ta amounts to adding tu to the knowledge of the intruder. 

— for p G E{x) with Ea h t(cr © p), we have {a,E,£j) (c © p,E,£]+i) 

, if j < Hi and a = £j — >■ That is, It corresponds to receiving any 

message that matches with 7ta and is known by the intruder. 

~ (a,E,£j) -A’ (cr © [x ta],E,£j^^), if j < rii and a is the assignment 

£j £j+i- The effect of an assignment is as usual. 

— (cr, E,£j) -A (a, E,£Ai)’ if j ^ n-j, and a is the test £* ^]+i- 

The action x = t behaves as a filter. 

The initial configuration is given by a substitution (Tq, a set of terms Eq such 
that the variables in Eq do not appear in the protocol description and a control 
point £o G Col- 



3.3 Expressing Security Properties 

In this subsection, we introduce an intuitive logic, which allows us to express 
security properties about cryptographic protocols. The purpose is to recall these 
properties and show how they can be described. The set of formulas Eq, is defined 
in Table 1, a; is a meta- variable that ranges over the set V of first-order variables. 
First-order variables range over messages; t is a meta-variable over terms. The 
proposition Secret{t) expresses secrecy in the following (usual) sense: is true in 
a configuration (a,E,£), if ta cannot be derived by the intruder from Ea. The 
proposition pc = £ is true, if the program counter equals £. 



Table 1. The set of formulas Eo 



Eo B (p,ip :;= Secret{t) \ x = t\pc = £\ T| T| p Aip \ -iip | \/x(f 
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Definition 1 (Semantics). The interpretation of a formula is given by the set 
of its models, i.e., the set Conf of configurations that satisfy the formula. The 
definition is standard except for the following clauses: 

lSecret{t)j = {{a,E,£) \ Ea \f ta); {x = tj = {{a,E,e) \ a(x) = a{t)}; 
and \pc = f\ = {(cr, i?,£) | {cr,E,t) is a configuration}. 

There are many definitions of authentication that we can find in the literature [5, 
21,14,19,17]. In the full paper, we show how these properties can be expressed 
in our logic. 



4 The SPL Logic 

In this section, we present a more expressive logic, the SPL logic, that embeds 
the logic introduced in the previous section. SPL is used in Section 5 as the 
underlying logic for the weakest precondition calculus. 

Henceforth, let C /C be a fixed but arbitrary set of keys, such that 0 yf 
K^K. 

4.1 A Syntactic Characterization of Secrecy 

A major problem we face for developing a complete inference system for cryp- 
tographic protocols is that secrecy, i.e., if 1/ m, is not expressive enough. For 
instance, consider the protocol ?{a;}fc;!x and the property E \f (si,S 2 )- What 
should be the weakest precondition that ensures this property at the end of this 
protocol? In this section, we introduce a modality that allows to express weakest 
preconditions and provides a syntactic characterization of secrecy. 

Intuitively, this modality is a predicate that asserts that given the intruder’s 
knowledge E, a term s is protected by a key in K in any message the intruder 
can derive from E. 

A pair ({t}fc,r), where t is a term, k £ K and r a critical position in {f\k is 
called a term transducer (TT for short). Intuitively, the pair r) can be seen 

as function that takes as argument a term that matches with {t}k and returns 
as result the term {t}fc|^. As will become clear later, a run of a CP provides the 
intruder with new term transducer she (he) can apply to learn new terms. 

We are now ready to introduce the main modality of the logic: 

Definition 2. Let m and s he two messages and let w G (A4 x Vos)* he a 
sequence of term transducers. 

We define the predicate m{w)s, which we read ”s is w-protected in m”, re- 
cursively on the structure of m and length ofw: 

— m is atomic and m ^ s, or 

— m = pair(mi,TO 2 ), s and both rrii{w)s and rri 2 {w)s are true, or 

— m = encr(mi,fc), s, k ^ K and m\{w)s is true, or 

— m = encr(mi, k), m ^ s, k G K and w = e, or 
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— m = encr(mi, k), w = {h, r).wi, m ^ s, k € K, and m ^ b or m\r{wi)s is 
true. 

This definition is easily generalized to sets of messages: Let M and S he sets of 
messages, w a sequence of term transducers and K a set of keys. We say that the 
secrets S are w - protected in M denoted by M{w)S, if it holds AmsM seS nT-{w)s. 

Example 1. Let m= ({^, {-^}fci}fe 2 >^) K = {k\,k 2 \. Then, m{e)N is true 
since {A, and A{e)N are true. 

Let now w = {{A,{N}k^}k 2 J 1). Then, m{w)N is false since ap- 

plying the term transducer {{A,{N}k^}k 2 J 12) yields {iVjfej on which an appli- 
cation of 1) yields N. 



Closure of sets of secrets. In this section, we define when a set of messages 
is closed. Closed sets of secrets enjoy the property that they are not derivable 
by composition. Intuitively, a set of messages is closed if it contains all messages 
along every path of the tree representing a message in the set. 

Let M be a set of sets of messages and let m be a message. We use the 
notation: m © M = {Mi U {m}\Mi G M}. 

We define when a set of messages is closed. The closure of a set S ensures 
that the intruder cannot derive a message in S by composition rules: 

{ wc(ml) U wc(to2) if to = (ml, m2) 
wc(to') U wc{k) if TO = {m'}k 
{K~^} if TO is atomic 

where K~^ = {k~^ \ k G iL}. A set M of messages is called closed, if for any 
m G M there exists M' G wc(to) such that M' C M. 

Example 2. Consider the message to = {{A, N}k, B). Then wc(to) consists of 
the following sets: 

A-i U {({A, N}k, B), {A, N}k, (A, N),A} K~^ U {({A, N}t, B), {A, N}t, k} 

A-i U {({A, N}k, B), {A, N}k, (A, N), N} K~^ U {({A, N}k, B), B}. 

We can prove the following: 

Lemma 1. Let S be a closed set of messages. And let E be a set of messages 
such that S n E = $. Then, E l/c S. Ln other words, if S is closed then no 
message in S can be derived uniquely by the composition rules. 

We use the notation E{wi, Si)i for Aie/ E{wi)Si. Our purpose now is to define 
conditions on Wi and Si such that for any set E of messages, if E{wi, Si)i then 
m{wi, Si)i, for any message to derivable from E. In other words, such conditions 
ensure that E{wi, Si)j is stable under the derivations rules defining the intruder. 
Remember that closure guarantees stability only under composition rules. 

Example 3. Let E = {si,S 2 } be a set of messages. Then we have E{w){s\,S 2 ). 
But we have both E\- (si, S 2 ) and -■(si, S 2 ){w){si, S 2 ). 
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This example shows that we need to consider only closed sets of secrets. But this 
is not sufficient, as showed by the following example. 

Example 4- Let E = {{s}fei,fc 2 } be a set of messages. i?(({{s}fcj}fc 2 , ll))s is 
satisfied, but we have both E \- {{s}ki}k 2 and -■{{s}fei}fc 2 (({{'S}fei}fe 2 ! H))®- 

Hence, we need to deal also with the interior term transducers. To do so, let 
(b,p) be a term transducer. Then, we denote by lpt(6,p) the next term transducer 
in b from above that dominates b\p, if it exists. For lack of space we omit to give 
the formal definition, and we prefer to illustrate it by an example. 

Example 5. Let b be the term {({Ai}fe/, with k, k' € K. Then, lpt(&, 111) = 
1). But lpt(6, 12) does not exist neither lpt(6, 11) does. 

We have now everything we need to express the conditions that guarantee sta- 
bility under the intruder’s derivations: 

Definition 3. {wi,Si)i^j is called well-formed, if the following conditions are 
satisfied for every i G I: 

— Si is closed, 

— if Wi = {b,r).w and if there exists a term transducer (bi,ri) = lpt{b,r), then 
there exists j G I such that one of the following is true: 

• bGSj 

• Wj = {bi,ri).w and Si C Sj. 

The main property of E{wi, Si)i is that it is stable under the intruder’s deduction 
rules. Indeed, we have: 

Proposition 1. Let E be a set of messages and let {wi,Si)i^i be well-formed 
such that E{wi,Si)i . Let m be a message with EG m. Then, m{wi, Sf) i . 

The modality E{w)S has another interesting property with respect to intruder’s 
derivations: 

Proposition 2. Let m be a message and E a set of messages such that K. \ 
K~^ C E. Then, E \/ m iff there exists a set of messages A G wc(m) s.t. 
E{e)A. 

4.2 SPL: A Logic for Security Properties 

The syntax of SPL is the same as Eq except that secretff) is replaced by the 
following modalities: X{w)S and x{w)S. Here A is a fixed second-order variable, 
S' is a finite set of terms and w is a finite sequence of term transducers that 
can contain free variables. The formulae are interpreted over a restricted set of 
configurations Confo = {{a, E,l)\{a, E,l) G Conf,K.\K~^ ffE}. 

Definition 4 (semantics). The semantics o/spl is defined as in Definition 1 
except that we also have the following clauses: 

|A(w)S] = {{a,E,£) I Ea{wa)Sa); |x('u;)S] = {{a,E,£) \ {cr(x)}(w)Scr} . 
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For convenience of notations, we extend the set of formulae SPL as follows: 



SPL+ B ip,tp . I (X, x)(r/;)S' I t('u;)5' 



The semantics of the newly introduced formulae is: |t(t(;)S'] = { (cr, E, £) \ ta{wa) 
S'cr}; |(X,x)(w)S'l = |X(ii;)S'] n |a:('u;)S']. 

We prove that any formulae of the form t{w)S is definable in SPL. 

Proposition 3. Let s, t be terms, let w be a sequence of term transducers and 
let J (t, w, s) be defined as follows: 



J{t,w,s) 



' x(w)s if t = X €V 

-'/i(a, s) if t = a £ A 

J{tl,W,s) /\J{t2,W,s) A-ip(t,s) ift = (tl,t2) 

< s) A s) if t = {ti}k A k ^ K 

if t = {ti}k A k £ K A w = e 

iiJ {b\r, wi,s) A ^i{h, t)) V -.^( 6 , t)) 

. A-'/r(t, s) if t = {ti}k A k £ K A w = (b, r).wi 



Then, t{w)s = J{t,w,s), i.e., both formulae are equivalent. 

From now on, we will tacitly identify t{w)S and J{t,w,s). We also use the 
notations (a,E,£) \= ip for (a,E,i) £ |(p], t{/v)S for ~'t{w)S, and X{/v)S for 
-<X{w)S. Also, given s a term, we write X{w)s instead of X(t(;){s} and t{w)s 
instead of t{w){s}. We identify formulae modulo the usual properties of boolean 
connectives such as associativity and commutativity of A, V, distributivity etc... 
and use as the classical logical implication (it can be easily defined in SPL 
logic using set inclusion). 

The predicate Secretff) can be expressed in SPL, and hence, the specification 
language of Section 3.3 can be embedded into SPL. 

Given a term t, let F{t) denote the formula Vs'etoc(t) A(e)S". Then we have: 



Proposition 4. Let t be a term. Then, lSecret{t)J = |F’(t)]. 

Well-formed formulae. In Definition 3, we introduced when {wi,Si)i^i is well- 
formed. As now we are dealing with formulae, we have to define when a formula 
is well- formed in the same sense. 

Definition 5. A formula <P is well-formed, if for any sequence of term trans- 
ducers w and closed set of terms S, whenever <P X{w)S, there exist {wi, Si)i^i 
well-formed, such that <L> f\^^j X{wi) Si and (w,S) G {wi, Si)i^i . 

The main property satisfied by well-formed formulae is a parallel to Proposition 1 
and given by the following corollary, which is a direct consequence of Definitions 3 
and 5. 

Corollary 1. Let <P be a well-formed formula such that X{w)S and let 

{a,E,l) G !<?]. Lf m is a message such that Ea h m, then m{wa)Sa. 




On the Existence of an Effective and Complete Inference System 



51 



Now, the property of Corollary 1 turns out to be crucial for developing a complete 
weakest precondition calculus and well-formedness has to be preserved. There- 
fore, we introduce the function %. It takes as arguments a formula X{b.w)S and 
computes the weakest (the largest w.r.t. set inclusion) well-formed formula (see 
Definition 5) H{X{b.w)S), such that H{X{b.w)S) X{b.w)S: 

{ X{b.w)S if Ipt(fo) is undefined 

X{b.w)SA 

{H{X{b^.w)S) V Vs'e»c(t) if b = (t,p) A bi = lpt(6) 



Proposition 5. Let he a well-formed formula. Let b.w he a sequence of term 
transducers and S a closed set of terms such that X{b.w)S. Then L> 

n{X{b.w)S). 

5 Weakest Precondition Calcnlns 

We are interested in proving partial correctness of bounded cryptographic proto- 
cols w.r.t. pre- and post-condition given by universally quantified SPLformulae. 
Thus, using the usual notation, we are interested in proving validity of Hoare 
triples {(fi}Tr{if}. As our formalization of bounded CP consists of the actions, 
sequential composition and non-deterministic choice, the Hoare logic contains 
axioms for the actions and the usual inference rules for composition and choice, 
and the Consequence rule. The rules are standard. Therefore, we focus on the 
axioms for the actions. That is, for each action we show that we can express the 
weakest liberal precondition in SPL. 

Let us now precisely define the fragment of SPL for which we develop a com- 
plete Hoare Logic. As shown in Section 3.3 most security properties (authenti- 
cation and secrecy at least) can be expressed by such formulae. We denote this 
fragment by SPLy. 



(p, ::= X{w)S I (A, x){w)S \ x = t\pc = i \ x ^ t\T \T\ip Aif \p\/ tp\ 'ixp 

The weakest precondition of a set of configurations C C Conf with respect to 
an action a, denoted wlp{a, C) is defined to be the set of configurations s, such 
that whenever action a is allowed in s, it leads to a configuration in C. More 
formally 

wlp{a,C)--={{<T.E,l)\{(j,E,l)^{a',E',l') =P {a' , E' ,1') & C) . 

Given a formula p, we use wlp{a, p) instead of wlp{a, |(^]) to denote the weakest 
precondition of a formula p G SPL. 

Let t be a term and p a valid position in t. Then, we denote by lpp(t,p) 
the position of the first term transducer in t from above that dominates p if it 
exists. For lack of space we omit to give the formal definition, and we prefer to 
illustrate it by an example. 




52 



L. Bozga, C. Ene, and Y. Lakhnech 



Example 6. Consider the term t = ({A, A^), where ki.k^ G K. Let 

p = 1121 and p' = 2. Thus, = t|p/ = N. Then, we have lpp(t,p) = 1, which 
corresponds to the key ^ 2 ! lpp(CpO is, however, undefined. 

We remind from section 4, that given a term t, F{t) ::= \/ s'ewc{t) ■ The 

intuitive explanation of the lemma is the following: being in a state (a,E,l), in 
order to be able to make an input t{x), such that x are instantiated by p, it must 
be that (a,E,l) ^ |T’(tp)]. 

Lemma 2. Let E he a set of terms, I be a label and let p and a be ground 
substitutions such that dom{p) = x and {dom{a) U var{E)) fl i = 0. Then it 
holds (a,E,l) G |F(tp)] ijf Ea \/ t{a(Bp)- 

Let t be a term, w a sequence of term transducers and S a set of terms. We 
denote by G{t, w, S) the formula obtained from AseS follows: 

— First, use distributivity of A and V to push “inside” AseS much as possible. 

— Then, replace any occurrence of AseS*(^)'® {X,x){w)S. 

It is easy to prove by induction on the structure of t that G{t, w, S) G SPLy, and 
similar to Proposition 3, we can prove that X{w)S AG{t, w, S) = X (w) S At{w) S . 

Lemma 3 gives the weakest condition that has to be satisfied in a configu- 
ration s, such that if in the next step x is instantiated by an input the 

reached configuration s' satisfies x{w)S. The key idea can be explained by con- 
sidering the sequence of actions \x. That is, if a secret s that appears in x 
has to be protected then it has to appear in x under an encryption. Thus, before 
executing lt{x)]\x, it should be the case that even if we provide the intruder 
with the term transducer that takes as input t{x) and yields x, it is not possible 
to derive s. 

Lemma 3. Let t he a term, S a set of terms, w a sequence of term transducers, 
x a variable and Px,t the set of critical positions of x in t. Let 

lC{t,x,w,S) = X{w)S A /\ 'H{X{{t\p,p~'^Px).w)S). 

p=lpP{t,Px),Px^Px,t 

Let E he a set of terms, I and I' labels, and p, a ground substitutions such that 
dom{p) = X, X € X, {dom{a) U var{E)) fl i = 0. Let <P a well-formed formula 
such that whenever Ea h t{a ® p), it holds 

{a®p,E,l') G I(X,a:)(u;)5] iff {a,E,l) G I<^>] 

Then |^] = lp{JC{t, x,w, S))]. 

Now we are ready to introduce the weakest preconditions for all formulae in 
SPLy. Remark that in the case of input, F{t) is used for partial correctness: if 
an input lt{x) is not allowed in a configuration s (i.e. it holds s G |F’(A1)) then 
for any tp, we have that s G wlp{lt{x), ip). 
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Definition 6 (definition of wlp). The function wlp, which gives the weakest 
preconditions for SPLy, is defined below: 

1. wlp{l A- I' ,(fi) ‘^= pc = £ ^ (pAG{t,w, S) if (fi G {X{w)S,{X,x){w)S} 

2. wlp{l A I' , p) "=‘^ pc = £ ^ p if p G {x t' ,x = t' , T, _L} 

3. wlp{l AA' , (X,x){w)S) AI pc = £ ^ (F{f) \/ IC{t,x,w, S)) if x G x 

4- wlp{l AA' , p) A/ pc = £ ^ (F {t)\/ p) ifpG{X{w)S,{X,y){w)S,xj£ 

t' , x = t', T, _L} and y ^ x 

5. wlp{A^* I' , p) A/ pc = £ ^ p[ta / x] ifpG{X{w)S,{X,x){w)S,xj£ 

t', X = t', T, _L} 

6. wlp{l ^-A V , p) AI pc = £ ^ AA) = ta ^ p) if 

p G {X(w)S, (X, x)(w)S, X ^ t',x = t', T, _L} 

7. wlp{l A I' ,pc = /") pc = £^ £' = £" 

8. wlp{a,p\/ if) = wlp{a,p) \/ wlp{a,if) 

9. wlp{a,p Afi) = wlp{a,p) A wlp{a,if) 

-s de/ 

10. wlp{a,Wxp) =yx-wlp{a,p) z/ war (a) Hi = 0 

It is easy to see that for any formula p G SPLy and any action a, wlp{a, p) G 
SPLy. Then, we define the formula WLP(a, p) as follows: wlp(q;, p) = wlp{a, p), 

if a yf / 'A^ I' and WLP(/ 'A^ I', p) =Vx ■ wlp{l 'A^ I', p). 

Then, we have the following theorem: 

Theorem 1. The wp-calculus of Definition 6 is sound and complete. I.e., let a 
be any action and p any formula in SPLy. Then, wlp{a, |(/?]) = |wLP(a, i^)]. 

Hence, following the usual completeness proof for Hoare logic, we can prove: 

Corollary 2. The Hoare logic consisting of the inference rules for composition, 
choice and consequence and the axiom schema {whv{cx.,p)}a{p'\ , for each ac- 
tion, is sound and complete. 

6 Decidability of SPL 

In this section, we study the decidability of the existence of a model (the satis- 
fiability problem) of an SPL formula. We prove decidability of this problem for 
existential formulae (i.e., formulae in ZIq) and undecidability in the general case. 
Notice that since we showed in Section 5 that given a formula p in SPLy and 
a bounded CP tt, one can compute wlp(7t, (/?), decidability of the satisfiability 
of existential formulae yields a decision procedure. Indeed, assume that we are 
given an existential formula ip ^tnd p in SPLy, assume also that we are given a 
bounded CP tt then {tp}7r{p} is true iff z/i A -iWLP(7r,(^) is not satisfiable. No- 
tice also that undecidability of SPL entails the non-existence of a complete and 
effective Hoare logic for bounded CP and SPL. 

To prove decidability for existential formulae we follow a rule based approach 
(e.g., [13,6] for two nice surveys) i.e.: 
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1 . We introduce a set of formulae in solved form. For these formulae it is easy 
to decide whether a model exists. 

2. We introduce a set of rewriting rules to transform any formula in the exis- 
tential fragment into a solved form. 

3. We prove soundness of these rules. 

4. We also prove their completeness, i.e, termination for a given control that 
normal forms are indeed in solved form. 

We will encounter two sorts of rewriting rules: 

— Deterministic rules are of the form ip ^ ip' . They transform a given problem 
into a single problem. A deterministic rule is sound, if |i^] = \p'\. 

— Non-deterministic rules of the form p ^ pi, - ■ ■ ,pn- They transform a given 
problem into a set of problems. A non-deterministic rule is sound, if |i^] = 

n 

U 

i=l 

In this section, we do not consider formulae of the from pc = 1. It will be 
clear that adding these formulae does not add any technical difficulty; it is only 
cumbersome to consider them here. 

Thus, given a formulae p with xi, • • • , as free variables, a model of p is 
pair (cr, E) consisting of a ground substitution cr over xi, • • • , and a set E of 
messages. 

6.1 Decidability of Uq Formulae 

Let V’ be a formula in SPL of the form 3x\, ■ ■ ■ ,Xn ■ p, where p is a, conjunction 
of literals, i.e., X{w)S \ x{w)S | x = < | T | X{fu)S \ x{fb)S \ x ^ t \ ±, with 
xi, • • • , x„ as first-order free variables. 

Notice that the satisfiability of any formula 3xi,---,x„ • p, where p is 
quantifier-free can be reduced to a finite set of satisfiability problems of for- 
mulae in the form above. 

Solved form. A formula is called in solved form if is syntactically equal to T, 
T or 3xi, ■ ■ ■ ,Xn ■ p and p is of the form: 

n rrii li oi 

A A ^ A Xi ^ vj] such that: 

i=l j = l j=l j=l 

1. ) For any i = Xi ^ var(tj), Xi ^ var(uj), and Xi ^ var(vj) and 

2. ) There is an ordering x^^ , • • • , Xj„ of Xi, • • • , x„ such that the intersection of 

U war(<J with Xi^} is empty. 

k=l 

We now show how one can ’’easily” check whether a formula in solved form 
has a model. We only consider the third type of solved formulae. So, let p a 
conjunction as above. We define a particular substitution a such that p has a 
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model iff it is satisfied by cr. To do so, let A; G iC be a fixed key. Let F{n), for 
n > 1, denote n concatenations of k, i.e., T’(l) = k and F{n+1) = pair(fc, F{n)). 
Let now fV be a natural number strictly bigger than the size of the formula ip. 
We then define the substitution a recursively as follows: 

1. ) If n = 1, i.e., there is only one variable then (• • • , (mT , 

{F{N + ii)}fe) • • •))• In case = 0 this term is understood as {F{N + 

2. ) If n > 1 then replace by (r(xij) in tp. This yields a new formula 

ip' and the ordering Xi^, - ■ ■ and by recursion, a substitution a'. Then, let 

cr= [x,, ^ + 

Theorem 2. Let ip he a formula in solved form syntactically different from T 
and T. Let a be the substitution as defined above. Then, ip has a model iff a 
satisfies ip. 



Table 2. Rules for transformations into a solved form 



Table 3. Eliminate trivial sub-formulae 
x = xi-^T x{w)xi-^± 

X = t 1. ifxG Var{t) A x j^at x{w)t !->• T if a; € Var{t) A x ^at 



Table 4. Replacement 



X = t A 


$[t/x\ if X 0 Var(t) 






Table 5. Decompose 




t{w)s 


J{t, w, s), 


D1 


x{{b,p).w)s 1 -^ 


x(e)s A x{e)b, x(e}s A b\p{w)s 


D2 


S = t e-> 


t) if s,t ^ X 


D3 




Table 6. Elimination X 








Azj(yb, 



where Zj with j £ J are new variables 



Table 7. Occur-check 
ip ^ p[y/x] 

if X and y are syntactically different and x < y and y < x, where < is the reflexive 
transitive closure of < with “x < y iff there there is a sub-formula of p of the 
form y{jF)t with x £ var{t)” . 



Theorem 3. Application of the rules of Table 2 terminates in a solved form. 

In this table, for the rules of the form ip — \ ip, where ip is an atomic formula 
(s = t or ss{w)s), we tacitly assume a rule ->ip — > ->ip. Even more, we suppose 
that -'Ip is represented a set of formulae in conjunctive normal form. 
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If we allow both existential and universal quantifiers, then the decision prob- 
lem becomes undecidable. Indeed, we can show that Post’s correspondence prob- 
lem is reducible to the decision problem in our logic. 

Theorem 4. Post’s correspondence problem is reducible to the decision problem 
for the SPL logic. 

7 Conclusions 

We showed that it is possible to have a complete and effective Hoare Logic 
for bounded cryptographic protocols and an expressive assertion language. This 
assertion language allows to specify secrecy as well as authentication and other 
properties. As a consequence of this result, we have a decision procedure for 
bounded cryptographic protocols and a large class of security properties allowing 
an infinite set of messages initially known by the intruder. The latter point 
might seem minor but is not. Indeed, if we are interested in composing protocols 
we have to take into account that we have no bound on how many sessions 
have taken place before, and hence, we should allow infinite sets of messages. 
Thus, in this paper, besides developing (to our knowledge) for the first time a 
result concerning the existence of an effective and complete Hoare Logic for CP, 
we significantly extend existing decidability results in two directions: 1.) larger 
class of properties and 2.) more general initial conditions. We also believe that 
this paper presents a general framework for a uniform presentation of different 
decidability results for bounded CP with weaker cryptographic hypothesis, e.g., 
considering equational theories. In the full paper, we develop this point of view 
for Cipher Block Chaining and for the xor-theory. 

The method presented in this paper is a basis for analyzing unbounded pro- 
tocols using approximations as those used in [4], where widening is used to 
guarantee termination. The interesting results of [2] can be used to restrict the 
use of the widening operator, and hence, obtain more precise analysis. 
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Abstract. In order to study relative PCF-definability of boolean func- 
tions, we associate a hypergraph Hf to any boolean function / (following 
[3,5]). 

We introduce the notion of timed hypergraph morphism and show that 
it is: 

— Sound: if there exists a timed morphism from Hf to Hg then / is 
PCF-definable relatively to g. 

— Complete for subsequential functions: if / is PCF-definable relatively 
to g, and g is subsequential, then there exists a timed morphism from 
Hf to Hg. 

We show that the problem of deciding the existence of a timed morphism 
between two given hypergraphs is NP-complete. 



1 Introduction 

PCF is a simple, paradigmatic functional programming language, defined by D. 
Scott in his seminal paper [11], a milestone in the area of denotational semantics. 

Following Scott, Plotkin studied in [8] the relationship between operational 
and denotational semantics of PCF. The main results of [8] may be summarized 
as follows: 

— The Scott model of PCF is adequate with respect to contextual equivalence. 

— The model is not complete, due to the presence of non-definable, “parallel” 
functions. 

— All the (algebraic) elements of the model become definable if a parallel con- 
ditional statement is added to the language. 

Since then, a lot of work has been devoted to the search of a satisfactory semantic 
characterization of the notion of PCF-definable function (see [2] for a survey). 
We have now a number of different notions of sequentiality, and all of them 
characterize exactly PCF definability for first order functions. 

In this paper, we study the relative definability problem for Finitary PCF 
(FPCF) with respect to its Scott model. FPCF is the finitary fragment of PCF: 
it has a single ground type B, the corresponding constants T,tt,ff, and just 
one more constant, the if -- then — else. 
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The Scott model of FPCF is the finite type hierarchy where |bool] is the fiat 
domain of boolean values, and |cr — >■ t] is the set of monotonic functions from 
|cr] to |r], ordered pointwise. FPCF-terms are interpreted in the standard way 
in this model, and in particular, for every closed term M : cr, |M] G fcr]. 

An instance of the relative definability problem is a pair / G fcr], g G |t], 
and a solution is either a term M : t — >■ ct such that |M](/ = /, or a proof that 
such a term does not exist (when M does exist, we say that / is less parallel 
than g, and we write / <par g)- 

Conceptually, the relative definability problem for the finitary fragment of 
PCF is settled: we know that it is undecidable in general [7] and decidable for 
functions of order 1 or 2 [12]. 

Nevertheless, decidability results may be not completely satisfactory: from a 
theoretical point of view, we still lack a characterization of the poset of degrees of 
parallelism (i.e. equivalence classes of inter-definable functions, noted [/]) which, 
even in the decidable case, is rich and complex [3,9]. 

In this paper, we give a complete, geometric characterization of relative de- 
finability for “subsequential” , first-order functions; the exact correspondence we 
establish between geometric objects (a particular kind of hypergraph morphisms) 
and computational ones (the terms solving relative definability problems), is, we 
believe, interesting in itself. 

Moreover, our analysis of relative definability problems provide a simple way 
of choosing, among the terms solving a given instance, an “optimal” one (for 
instance, a term defining / with as few calls of (/ as possible). 

1.1 Related Work 

The study of degrees of parallelism was pioneered by Sazonov and Trakhtenbrot 
[10,14] who singled out some finite subposets of degrees. Some results on degrees 
are corollaries of well known facts: for instance Plotkin’s full abstraction result 
for PCF-l-por implies that this poset has a top. The bottom of degrees is the set 
of PCF-definable functions which is fully characterized, for first order functions, 
by the notion of sequentiality (in any of its formulations). Moreover Sieber’s 
sequentiality relations [12] provide a characterization of first-order degrees of 
parallelism and this characterization is effective: given / and g one can decide 
if / <par g- A. Stoughton [13] has implemented an algorithm which solves this 
decision problem. R. Loader has shown that the problem of deciding if a given 
continuous function(al) is PCF-definable, is undecidable [7]. As a consequence, 
the relation <par is undecidable in general (at higher-order), since, if g is PCF- 
definable and / continuous, then / is PCF-definable if and only if / <par g- 

In [3], the first author investigates the poset of degrees of parallelism using 
categories of hypergraphs for representing boolean function. The starting point 
of the investigation was the observation that the trace of a function / (i.e. the 
subset of the graph of / whose first projection is the set of minimal points 
on which / is defined) can be turned into a hypergraph Hf, in such a way that 
hypergraph morphisms from Hf to Hg are “witnesses” of the inequality / <par g- 
In particular, a rich subposet of degrees for which the hypergraph representation 
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is sound and complete is singled out in [3] . If [/] , [g] belong to that subposet 
/ <par 9 holds if and only if there exists a morphism from Hj to Hg. In [5] P. 
Malacaria and the first author showed a general result about hypergraphs and 
degrees: if there exists a morphism from Hf to Hg, then / <par 9- However, for 
the notion of hypergraph morphism they used (the standard one, based on the 
preservation of hyperarcs), no general completeness result seems to hold. 

1.2 Plan of the Paper 

In this paper we introduce a weaker notion of hypergraph morphism (the timed 
morphisms) and we show that it is sound in general, and complete for subsequen- 
tial functions (i.e. for functions which have a sequential upper bound). The proof 
of soundness presented in [5] goes through for the framework of timed morphisms 
with some very minor changes. The proof of completeness is an application of 
Sieber’s sequentiality relations. 

In Section 2 we introduce the notions of hypergraphs representing boolean 
functions and of /i-morphisms between them (/i-morphisms were called “weak” 
in [5]; since timed morphisms are weaker, we change the terminology here). In 
Section 3 the “timed” hypergraph morphisms are defined, and we show by some 
examples how they behave as boolean function transformers. In Section 4, we 
recall some useful properties of subsequential functions. Sections 5, 6 and 7 are 
devoted to the proof of soundness and completeness of timed morphisms w.r.t. 
the relation <par- Finally, section 8 sketches a few complexity considerations. 

2 Hypergraphs and h-Morphisms 

We denote by B the flat domain of boolean values {T, tt, f f }. Tuples of boolean 
values are ordered in the product order. Given a monotone function / : B” — >■ B, 
the trace of / is defined by 

tr(/) = {(u, b) I f{v) = b ^ 1. and v minimal} 

We note the first and second projection tti and tt 2 - In particular, 7Ti(tr(/)) is 
the set of minimal points where / is defined. 

A subset A = {vi, . . . ,Vk} of B" is linearly coherent (or simply coherent) 
if for all 1 < i < n either 31 < j < k, Vj = T, or VI < j,j' < = Vj,. 

The set of coherent subsets of B" is denoted C(B"). The coherence is related to 
sequentiality: if / is a n-ary boolean function, and 7Ti(tr(/)) is coherent, then / 
has no sequentiality index and it is not PCF-definable. Actually / is definable if 
and only if no subset of 7Ti(tr(/)) is coherent. 

The following easy property of the coherence will be useful: 

Fact 1 If A G C(B") and B is an Egli- Milner lower bound of A (that is if 
Vx G A3y G B y <x andt/y G B3x G A y < x) then B G C(B”). 

Definition 1. A colored hypergraph H = (Vh,Ah,Ch) is given by: 
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— a finite set Vh of vertices, 

— a set Ah Q {A C Vn\ffA > 2} of (hyper)arcs, 

— a coloring function Ch ■ Vh {ff,tt}. 

Definition 2. Let f : ^ B be the n-ary function defined by tr(/) = 

{(wi, 6i), . . . , (vfc, bk)}- The hypergraph Hj is defined by 

— Vhj = 7Ti(tr(/)), 

~ Ahj contains the coherent subsets o/7Ti(tr(/)) with at least two elements, 

— CHf{vi) = bi 

One can check that the hypergraphs associated to monotone functions by the 
definition above {functional hypergraph) verify the following conditions: 

HI : If {x,y} G Ah then Ch{x) = Ch{v)- 

H2 : If Xi,X 2 are hyperarcs and XiC\ X 2 % then Xi U X 2 is a hyperarc. 



Definition 3. A /i-morphism from a hypergraph H to a hypergraph K is a func- 
tion m : Vh — >■ Vk such that: 

— For all A C Vh, if A G Ah then m{A) G Ah- 

— for all X G Ah, if x,x' G X and Ch{x) fi- Ch{x') then Ck{'<ti{x)) fi- 

CK{m{x')). 

Colored hypergraphs and /i-morphisms form a category, Ti. In [5], it has been 
proved that, if there exists a /i-morphism from Hf to Fig, then / <par 5- The 
problem of finding a weaker notion of hypergraph morphism, for which some 
sort of completeness result would hold, was left open. 

We give here the motivating example for the definition of timed morphisms. 
Let por 2 : B'^ ^ B and porg : B^ Bhe defined by 



pox fix, y) = 



poxfix,y,z) = 

The associated hypergraphs are: 



±tt 



tt± 



tt if one of x, y is tt 
_L otherwise 

tt if one of x, y, z is tt 
_L otherwise 



±tt_L 




tt_L_L _L_Ltt 




It is easy to see that there exists no /i-morphism m : H 3 — >■ H 2 - Nevertheless 
porg <par por 2 , since for instance porg = |M]por 2 where 

M = Xf XX1X2X3 if /(/(xi, X2), 2:3) then tt else _L 



The tree of nested calls to / in M (the nesting tree of M), where the nodes are 
the occurrences of f, and the links are the arguments of /, is: 
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Actually, the nesting of calls to / in the term which defines porg with respect 
to por2 is necessary. By looking at the way M “maps” the minimal points of 
porg onto the ones of por2, we realize that at the outermost level (tt, _L, _L) and 
(_L,tt,_L) are both mapped on (tt,_L), while (_L,_L,tt) is mapped on (_L,tt). 
The internal call of / maps (tt,_L,_L) on (tt,_L) and (_L,tt,_L) on (_L,tt). 



3 Timed Morphisms 

The idea is the following: morphisms should be able to “collapse” a hyperarc on 
a singleton, provided that we have another morphism mapping this hyperarc on 
a hyperarc. More precisely, we want a finite sequence of morphisms mi . . . m/ 
with domains Di G Ah, such that if rrii collapses an hyperarc B, there exists 
mi+fe with domain B. In the proof of soundness, each step in the sequence will 
appear as a nesting in the term. 

For our example, the sequence corresponding to M is : 




In general, by looking at the morphism from Hf to Hg, one can easily see the 
nesting of calls to the defining function g (and then build a term quite easily). 
First, we spot the vertices of Hg corresponding to each argument of g^: tt,T 
for the first argument, T, tt for the second. Then, we know how to organize the 
nested calls to g: if we collapse an hyperarc X on the vertex corresponding to 
the argument i, we put a call to g at argument i, which will be defined by the 
morphism with domain X. 

It should be noticed here that, in the general case, one cannot associate ver- 
tices of Hg to arguments of g. Nevertheless, as shown in the proof of soundeness, 
the existence of a timed morphism from Hf to Hg allows us to construct a term 



^ In the general case, one cannot associate vertices to an argument. In our example 
porj, this is obvious. For more details, see the proof of soundness. 
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g-defining /, in general, even if the construction is more complicated than the 
one sketched above. 

Another exemple: let f(x, y) be tt whenever x or y is defined, and _L else- 
where. Hf is 




The only subsets that are not coherent are {tt_L,ff_L} and {_Ltt,_Lff}. In the 
following, we will not put the hyperarcs again. Here is a timed morphism from 
Hf to H2, and the corresponding term XgXxXyM defining / with por2: 




M = (?(if y then _L else tt, N) 




N = g{ P, a X then _L else tt) 




P = g(if y then tt else _L, if x then tt else _L) 
The corresponding tree is: 




but one can also easily find morphisms (and terms) for these nesting trees (and 
for some others, too): 
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The leftmost nesting tree corresponds to the “natural” solution to this rela- 
tive definability problem, namely: 

XgXxXy (/(if x then tt else tt, if y then tt else tt) 

Timed morphisms are sequences. For a given problem, shorter sequences cor- 
respond to terms with smaller depth, w.r.t. the nesting of calls of g. Timed 
morphisms provide a handy tool for constructing these optimal solution. 

Actually, we give a more abstract, equivalent definition of timed morphisms. 
We will argue that the two notions coincide after the following couple of defini- 
tions. 

Definition 4. Let H = (Vh, Ah,Ch) be a (functional) hypergraph. 

— The timed image of H, H is defined by: Vjp = Vh, Cjp = Ch and Ajj = 
Ah U {{n} I V € Vh}- 

— Let BCVh- H\h is the sub-hypergraph of H defined by: 

r = B 

\ Ah,^ ={XeAH\XCB] 

[ Ch^s = 

Given two functional hypergraphs H, K, we say that a morphism a G 
'H{H,K) is non-trivial if ffa{VH) > 1- 

Definition 5. Let H, K be functional hypergraphs. A timed morphism a G 
T'H{H, K) is a collection 

{ax G 'H{H\x,K)}x^Ah 

where all the ax ’s are non-trivial, and non-redundant in the following sense: 

'iX CYg Ah ay\xis n-on trivial =/> ax = ay\x 

The intuitive description of timed morphisms in terms of sequences, given 
in the examples of this section coincides with the definition above. Given a 
sequence m = ..., of h-morphisms from H to K, and a hyperarc X G Ah, 

define af( = m^\x, where j is the smallest index such that \x is non trivial. 
Conversely, given {ax}xeAH have to construct a sequence of morphisms 
. . . , from (restrictions of) H to K, such that if m* collapses an hyperarc 
B, there exists non-trivial of domain B. Let {Ai}i^j be the set of maximal 
elements of Vh (note that these are disjoint, H being functional); is obtained 
by “gluing” all the aAi, i G I. Now, letting {Ai}i^j J = be the 

set of maximal elements of Vh which are “collapsed” by m^, we define = 
aA^i , ■■■, = aA.i , and we proceed by considering the hyperarcs collapsed by 

mf , ..., . By finiteness of H , iterating this construction we obtain a sequence 

, ..,m^ obeying the definition of timed morphism in terms of sequences. 
Timed morphisms compose componentwise (i.e. (ao/3)^ = o;^(^)0/3^). To any 
/i-morphism m : H ^ K corresponds canonically the timed morphism defined 
by aA = m\A. 
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4 Subsequential Functions 

A monotone function f : ^ B is subsequential if it is extensionally upper 

bounded by a sequential (i.e. PCF-definable) function. As shown in proposition 
6 subsequential functions correspond to hypergraphs with monochromatic hy- 
perarcs and to functions preserving linear coherence. Such a class of functions 
admits hence a natural characterization in order theoretic, graph theoretic and 
algebraic terms. 

Proofs of the statements of this section can be found in [5]. 

Proposition 6. Let f \ B'^ ^ B be a monotone function. The following are 
equivalent: 

1. f is subsequential. 

2. For all A G C(B^), f{A) G C{B). (i.e. f preserves the linear coherence of 

B^.) 

3. If X € Ahj then for all x,y € X CHf{x) = Cnfiy) (i-e. X is monochro- 
matic ). 

Given a set A = {vi, . . . ,Vk} Q B'^, there exist in general a number of 
functions whose minimal points are exactly the elements of A. For instance, 
if the Vi are pairwise unbounded, there exist 2^ such functions. The following 
lemma states that, among these functions, the subsequential ones are those whose 
degree of parallelism is minimal. 

Lemma 7. Let f,g : B^ ^ B be such that g is subsequential and 7Ti(tr(/)) = 

7Ti(tr(g)). Theng<pi,rf- 

In section 5, we prove that if there exists a timed morphism a : Hf ^ Hg, 
then / <par g. The following lemma introduces a key notion toward that result, 
namely that of slice function. The idea is the following: in order to reduce / : 
B™ B to g : B" ^ B we start by transforming the minimal points of / into the 
ones of g. This amounts to defining a function from to B", that we describe 
as a set of functions /i, ■ . ■ , /„ : B"^ — >■ B. If these functions are g-definable, then 
we can already g-define a function which is defined (that is, not equal to T) if 
and only if / is defined, namely 

h = Xx. g{fix) . . . (fnx) 

and we are left with the problem of forcing h to agree with / whenever it con- 
verges. 

For the time being we show that, if the ffs are defined via a timed morphism 
a : Hf ^ Hg , then they are subsequential, hence “relatively simple” . 

Lemma 8. Let f : B™' B, g : B'^ ^ B be monotone functions and a : Hj ^ 
Hg be a timed morphism. For B G A^^., 1 < i < n let fP : B”^ B be the 
function defined by 

) = {{v,aB{v)i)\v G p T} 

Then ff is subsequential. We will call ff the ith— slice of 
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5 Soundness 

Timed morphisms are sound with respect to <pan in the sense expressed by the 
following theorem: 

Theorem 9. Let f : B’’ ^ B, g : B™ B be monotone functions such that 
Thenf<p,rg- 

The proof is essentially the same is in [5] . The key point lies in the restriction 
of morphisms to a hypergraph. In [5], the hypothesis was too strong: we only 
need a morphism from this hyperarc to Hg, we do not need it to be a part of 
the initial morphism from Hf to Hg. This generalization allows us to prove a 
completeness result. 

6 Sequentiality Relations 

Definition 10 (Sieber). For each n > 0 and each pair of sets AQBQ{1, . . . ,n} 
let 5^ sCB" he defined by 

...,bn)^{3iGAbi =±) V (Vz,j GBb, = bg) 

An n-ary logical relation R is called a sequentiality relation if it is an intersection 
of relations of the form S\ ^ . 

We define Sn.n-i-i — ■ 

We write 

/ Xii ... Xin \ 

G i? 

\ ^ml • • ■ ^mn j 

meaning that each row is in R. A function / : B™ — >■ B is invariant under the 
logical relation R of arity if, n whenever the matrix (xij)i<i<m,i<j<n is in R: 

, . . . , Xuil ^mn)^ G R 



Proposition 11. For any f : B” — >• B and g : B™ — >• B continuous functions, 
f <par g if and only if for any sequentiality relation R, if g is invariant under 
R then f is invariant too. 

Actually this is a relativized version of the main theorem of [12]: a continuous 
function of first or second order is PCF-definable if and only if it is invariant 
under all sequentiality relations. 

Coherence is tightly related to sequentiality relations: 

Lemma 12. Let A = {xi, . . . , Xn} C B™, and B he a subset of {1, . . . , n}. 
{xi}i^B is coherent iff (xij) G S'g g. Moreover, A is coherent ijf: 

( Xu . . . Xin Al<i<n ^1* \ 

; ; ; I G Sn.n+1 

Al<i<n j 
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These sequentiality relations are closely related to strong stability at first 
order (see [4] for an overview on strong stability): / is strongly stable if it pre- 
serves linear coherence (that is, / is invariant by the relations g), and / is 
conditionally multiplicative: if A is coherent f{/\A) = /\^^^f{a), (that is, / is 
invariant for the relation Sn,n+i)- 

7 Completeness 

Theorem 13. Let f ■. B"' ^ B and g : B^ B be subsequential functions, such 
that TT~L{Hf,Hg) = 0. Then f ^par g- 

Proof. The first remark is that T'H{H f , Hg) = 0 if and only if there exists A G 
Afff such that there is no non-trivial morphism from to Hg. Throughout 

this proof, we restrict our attention to for such an A = {vx , . . . , V}-}. Let 

Ai,. . . ,Ai be the arcs of iL|^, and, for I < j < I, let Bj be the corresponding 
set of the indices: Aj = 

We consider the {k + l)-ary sequential logical relation 

Sa = n Sk,k+i 

If we prove that g is invariant with respect to Sa and / is not, we are done. Let 
us start by proving that / is not invariant. 

Let V = (vx,...,Vk,/\x<j<k'^j)' by lemma 12, for 1 < j < I, V G S^+g, 
and V G Sk,k+i, i.e. V G Sa. On the contrary: 

if{Vl),f{v2),...,f{Vk),f{ /\ Vj)\^Sk,k+l 
V i<i<fe / 

since the first k components of this vector are defined (the Vj are in the trace of 
/), and the last is T (A'*^i can’t be above a Vj). Therefore, this tuple does not 
belongs to Sa. 

It remains to show that that g G Sa- Let us suppose by reductio ad absurdum 
that there exists a matrix W = (mi, . . . ,Wk+i) G such that: 

W G Sa and g{W) = {g{wi), . . .,g{wk+i)) ^ Sa 

First, we note that, since W G Sa, for all 1 < j < I, W G S^~^ g . , that is {mAieBj 
is coherent, so {g(wi}i^Bj is coherent, and g is subsequential, which entails, 
by proposition 6 and lemma 12, that g{W) is invariant by Therefore, 

g{W) ^ Sa means that g{W) ^ that is, Vj < k,g{wj) ^ T and 3j, j' < 

k+ l,g{wj) yf g{wji). Since g is subsequential and {mi,...,mfc} is coherent 
(lemma 12), Vj, j' < k,g{wj) = g{wji): there exists b G {tt,ff} such that 

Vj < k,g(wj) = b and g{wk+i) =T 

Hence any Wj, for 1 < j < A:, has at least a lower bound in ■Ki{tr{g)), which we 
denote by Zj. We have: 
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— the set {zi , . . . , Zk} is not a singleton, otherwise g{wk+i) = b, being Wk+i > 
t\i<j<k^j^ by definition of Su,k+i- 

— for alT 1 < j < ^ the set {zi}i^Bj is coherent, being an Egli-Milner lower 

bound of the coherent set (see fact 1). 

— Last, by proposition 6, / being subsequential, Ch/ is constant on A. 

Hence the function a : A — >■ Hg defined by aA{vi) = Zi is in Hg), and 

it is not trivial, a contradiction. 

Remark that, if g is subsequential and / is not, then / ^par g, hence the 
hypothesis of Theorem 13 could be weakened. 

In order to see that completeness of timed morphisms fails in general, let us 
consider the following monotone functions: 

{ /(_L, tt, tt, f f ) = tt 
/(f f , _L, tt, tt) = tt 
/(tt, f f , _L, tt) = tt 
/(tt, tt, f f , _L) = tt 

f g(-L,tt,ff) = tt 
^ g(ff,-L,tt) = tt 
[ g(tt,ff,_L) = ff 

Since all subsets of Hf with at least three elements are hyperarcs, and Hg 
is composed by a single ternary hyperarc, it is easy to see that there is no non 
trivial ft,- morphism from the maximal hyperarc of Hf to Hg, and hence no timed 
morphism from Hf to Hg. On the other hand / <par g, since the degree of g 
(the “B-K function”) is the top of stable degrees ([6], p. 334), and / is stable. 

8 On the Complexity of Weak and Timed Morphisms 

Saturated hypergraphs are particularly simple functional hypergraphs, namely 
those whose sets of arcs are closed by union. 

We will reduce the set-splitting problem to the problem of the existence of a 
ft- morphism between two saturated hypergraphs; then we will reduce this latter 
problem to that of the existence of a timed morphism between two saturated 
hypergraphs. 

Hence, we show that deciding the existence of both ft-morphisms and timed 
morphism between saturated hypergraphs are NP-hard problems. 

On the other hand, deciding the existence of ft-morphisms and timed mor- 
phisms, in the general case, are NP problems, since checking that a given function 
preserves hyperarcs is a polynomial task, and the guess of such a function is also 
polynomial in the size of the hypergraphs. 

Summing up, we show that deciding the existence of both ft-morphisms and 
timed morphism are NP-complete problems. 

Let us start by defining the set splitting problem (see for instance [1], problem 
number 37): 
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Instance: a set U and a family Ai, ...,Ak of subsets of U. 

Question: is there a (non-trivial) partition U = U1UU2 such that Aj n C/i yf 0 
and Aj n 1/2 yf 0 , for all j? 

Given an instance U, Ai, Af^ of the set splitting problem, we may suppose 
that for all i, j Ai Aj (otherwise we drop Aj, without altering the instance). 

We define the saturated hypergraph Hi, whose set of vertices is U and whose 
minimal arcs are A\, ..., A^, and the hypergraph 2 whose set of vertices is a pair, 
say {0, 1}, and whose unique arc is {0, 1}. 

Lemma 14. The given instance of the set splitting problem has a solution if 
and only if there exists a h-morphism from Hi to 2 . 

Proof. If we have a /i-morphism / : ili — >■ 2, we set Ui = f~^{ 0 ) and U2 = 
f~^{l). By construction, U1UU2 = U, and for all i, f{Ai) = {0, 1} because Ai 
is a hyperarc of Hi, so UiD Ai ^ 9 and C /2 H yf 0. 

Conversely, if Ui, U 2 is a solution, we define f : x j s.t. x £ Uj. f is a, 
/i-morphism from Hi to 2 : / is well-defined because Ui D U 2 = 0 , and if A is 
a hyperarc of Hi, then A = Ai for some i and since Ai H Uj yf 0 (j = 1,2), 
f(A) = {0, 1} which is a hyperarc of 2 . 

We are left with the problem of reducing the existence of an /i-morphism 
between a saturated hypergraph and 2 to the existence of some timed morphism. 

Given a saturated hypergraph H and * ^ Vh, let H* be the (saturated) 
hypergraph defined by Vh* = Vh h) {*} and Ah* = {A U {*} | A G Ah} Let 3 
be the hypergraph with three vertices, say {0,1,2} whose unique arc is the set 
of vertices itself. 



Lemma 15. Let H he a saturated hypergraph. There exists a h-morphism from 
H to 2 if and only if there exists a timed morphism from H* to 3. 

Proof. Let H he a saturated hypergraph. 

First, if / is an ft,-morphism from H to 2, define, for B G Ah*, 



asix) 



f{x) if X yf * 
2 if X = * 



{<xb} is clearly a timed morphism from H* to 3. 



Now, for the converse, let {as} be a timed morphism from H* to 3. We have 
to define a ft,- morphism from H to 2 which “splits” every arc of H. 

The idea is the following: given two arcs A C B ot H* , we know that either 
asiA) = {q;b(*)} or ob(A) = (0, 1, 2}. In the latter case we can easily construct 
a (partial) morphism from ift to 2 which splits A\ {*}, in the former, there must 
exist an arc C C such that ac{A) = {0,1,2}. In any case any arc 

will eventually be split. Gluing together all the (partial) splitting morphisms 
obtained in this way gives us the result. 

More formally, we define a decreasing sequence of arcs of H*, as follows: 
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~ Aq — U{7l G Afj*} 

~ An+i = U{^ ^ I A C a^^{*}} 

For all n, such that ^ 0, A„+i C An, since aA„ is non-trivial. Let Iq be 
the smallest index such that Ai„ = 0 (remark that Iq < |, since at least one 

arc is split at each stage). 

Let 

in = aA„(*) 

jn = (in + 1) mod 3 
kn = (in + 2) mod 3 

We define two disjoint subsets of Vh- 

Iq — 1 

Ui= [j ^2= [j <x^l{ks} 

s— 0 s— 0 

It is not hard to check that C/i, C /2 split all the arcs of H; le us define: 

_ f 0 if a; G C/i 
(1 otherwise 

We check that / is an /i-morphism from H to 2, i.e. that given A G Ah, 
f{A) = {0,1}. 

First, note that, for some n, A C A„_i and A ^ An, since is a decreasing 
sequence. Moreover, 0 < n < Iq, since Aq is the union of all the arcs of H*, and 
= 0 . 

This means that aA„_i{AU{*}) = {0, 1,2}, hence AdUi yf 0 and AAU 2 ^ 0. 
Finally, /(a) = {0, 1} and we are done. 

9 Conclusion 

For a wide class of boolean functions (the subsequential ones) we are able to solve 
relative definability problems in a geometric way, using a suitable representation 
of functions as hypergraphs and PCF-terms as hypergraphs morphisms. 

We can also list all the (sensible) terms solving a given problem f,g, by 
enumerating the timed morphisms from Hf to Hg, and choose, for instance, the 
one which uses as few calls of g as possible (but other notions of optimality could 
be considered). 

A natural question is wether this approach can be extended to non subse- 
quential boolean functions and/or to higher-order functions. We do not know at 
present, but probably a combination of more complex representations of func- 
tions as hypergraphs and of more involved notions of morphisms is required. 

In section 8 we have seen that the problem of relative definability is in- 
tractable in general; on the other hand, the algorithm of [13] can solve first 
order definability problems in reasonable time in some cases; it could be worth 
to compare the performances of the two approches. 
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Abstract. In addition to behavioral properties, spatial logics can talk 
about other key properties of concurrent systems such as secrecy, fresh- 
ness, usage of resources, and distribution. We study an expressive spatial 
logic for systems specified in the synchronous rr-calculus with recursion, 
based on a small set of behavioral and spatial observations. We give coin- 
ductive and equational characterizations of the equivalence induced on 
processes by the logic, and conclude that it strictly lies between structural 
congruence and strong bisimulation. We then show that model-checking 
is decidable for a useful class of processes that includes the finite-control 
fragment of the rr-calculus. 



Introduction 

Spatial logics support the specification not only of behavioral properties but 
also of structural properties of concurrent systems, in a fairly integrated way. 
Spatial properties arise naturally in the specification of distributed systems, for 
instance connectivity, stating that there is always an access route between two 
different sites, unique handling, stating that there is at most one server process 
listening on a given channel name, or resource availability, stating that a bound 
exists on the number of channels that can be allocated at a given location. Even 
secrecy can also be sometimes understood in spatial terms, since a secret is a 
piece of data whose knowledge of is restricted to some parts of a system, and 
unforgeable by other parts [ 4 , 3 ]. Essentially, spatial logics are modal logics that 
can talk about the internal structure of each world. The interpretation of each 
world as a structured space, and moreover as a space seen as a certain kind 
of resource [ 23 ], distinguishes spatial logics among modal logics. Spatial logics 
have been recently used in the definition of several core languages, calculi, and 
data models [ 2 , 6 , 18 , 4 , 5 ]. In this paper, we study a logic for systems modeled 
in the synchronous 7r-calculus with spatial and temporal operators, freshness 
quantifiers, and recursive formulas. 

Spatial and Behavioral Observations. In behavioral models of concur- 
rency, a process is identified with its observable behavior, roughly, the sequence 
of interactions it can perform in the course of time. Modalities of a purely be- 
havioral logic support the specification of processes by allowing us to talk about 
their actions; logics of this kind [21,11,12] are extensions of those introduced by 
Hennessy and Milner [ 19 ]. Although there is a traditional distinction between 
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static and dynamic operations in process algebras [19], a purely behavioral se- 
mantics blurs the distinction between these two kinds of operations, to the extent 
that all process operators end up interpreted as purely behavioral, abstracting 
away from all structural information. The equivalence induced on the set of all 
processes by such logics is then expected to match some notion of behavioral 
equivalence {e.g., strong bisimulation). 

Spatial logics offer an enhanced power of observation, when compared with 
purely behavioral logics, because they can distinguish between systems that differ 
on their distributed structure, but not on their behavior. Spatial observations 
may then appear perhaps too much intensional. However, while certainly more 
intensional than purely behavioral observations, spatial observations are of a 
semantic nature, and should be actually extensional with respect to some well- 
defined model of space. Therefore, a spatial logic for concurrent processes should 
separate processes according to such well-defined spatial / behavioral semantic 
model. 

A spatial logic may then add to a given set of behavioral modalities a set of 
spatial operators, closely related to the static operators of the process calculus, as 
in [2]. For nominal process calculi, the static operators are the composition P\Q, 
its identity element 0 (denoting the empty system), and the name restriction 
{vn)P. These process constructors give rise to the composition formula A\B, 
that holds of a process that can be separated into a process that satisfies formula 
A and a process that satisfies formula B, to the void formula 0, that holds of the 
void process, and to the hidden name quantifier \~\x.A that allows us to quantify 
over locally restricted channels. 

Alternatively, a spatial logic can put a stronger emphasis on structure, and 
allow the observation of a process behavior in a more indirect way, using spatial 
adjuncts together with a minimal “next step” (c/., the formula (t)A) or “even- 
tually” behavioral modality. The first proposal in this vein is the ambient logic 
of [6], also adopted in the 7r-calculus logic of [4,3]. An advantage of this approach 
is its generality, moreover, it is easily adaptable to any process calculus whose 
operational semantics can be presented by means of a simple unlabeled reduc- 
tion relation. Adjuncts are very expressive: composition adjunct A> B supports 
an internal definition of validity, and makes it possible to express quite general 
context /system specifications. However, model-checking of logics with composi- 
tion adjunct, and including either quantification over names [9] or revelation [15] 
turns out to be undecidable even for the simplest process languages. 

Overview and Contributions. In this work, we study a 7r-calculus logic 
which is based on purely structural spatial and behavioral observations. By 
“purely structural” we mean observations that can be determined by inspec- 
tion of the local structure of the processes; therefore the logic does not include 
adjuncts operators. As a consequence, we obtain decidability of model-checking 
on interesting classes of processes, and preserve the ability to express context- 
dependent behavioral and spatial properties. 

For the spatial fragment we consider the connectives of composition, void, 
and revelation. For the behavioral fragment we pick a few simple modalities, 
defined either from the label r, that denotes an internal communication, or from 
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one of the labels n{m) and n{m), denoting respectively the action of sending 
name m on channel n, and the action of receiving name m on channel n. To this 
basic set of connectives, we add propositional operators, first-order and freshness 
quantifiers, and recursive definitions, along the lines of [4]. 

To illustrate in an informal way the expressiveness of the logic, we go through 
a few examples. First, we show that by combining the fresh and hidden name 
quantifiers with the behavioral operators we can define modalities for name 
extrusion and intrusion (c/., [21]). 

n(ux).A = Hx.n{x) .A (Bound Output) n{vx).A = Vlx.n{x).A (Bound Input) 



The definition of bound output uses the hidden name quantifier [2,4] . The hidden 
name quantifier is derivable [7] from the fresh name quantifier and the revela- 
tion operator: Hx.A = lAx.x@A. Using these two operators we can define the 
following formula Comm. 

Comm = m{i'x) .A\m{iyx) B t.Hx.{A\B) 

Pair = {{vri)m{n) .n{m) .Q)\m{q) .q{q) .Q 

The formula Comm talks about name extrusion: it says that two separate parts 
of a system can become “connected” by a shared secret, after interacting. For 
example, the process Pair defined above satisfies the formula Comm. It also 
satisfies the formula (-•Oj-'O) A r.-'(-'Oj-'O): this formula says that the process 
has two separate threads initially, that become tied by a private shared channel 
after a reduction step. This illustrates the fact that the logic has the power to 
count resources {e.g., threads, restricted channels). Combining spatial operators 
and recursive formulas we can define other useful operators, e.g., H*A = giX.{Ay 
V\x.X)] the formula H*^ means that A holds under a (finite) number of restricted 
names [4]. Then, the formula -■H*3?/.(3a;.y(a;).Tj3a:.j/(x).T) expresses a unique 
handling property [20], it is satisfied by systems that do no contain separate 
processes listening on the same (public or private) channel name. 

The first contribution of this work is thus the proposal of the logic and the 
characterization of its expressive power, in terms of the equivalence relation 
(written =l) it induces on processes, aiming at a better understanding of its 
intended spatial model. We give coinductive and equational characterisation of 
=L, showing that it is a decidable congruence, even for the full process language 
with recursion. The equational presentation turns out to be the extension of the 
standard axiomatization of structural congruence with two natural principles: 
an axiom expressing absorption of identical choices (c/., the axiom P + P = P 
for bisimulation), and a coinduction principle, asserting uniqueness of solutions 
to equations. This shows that =l lies strictly “in between” structural congru- 
ence and strong bisimulation, the gap towards strong bisimulation seems to be 
essentially justified by the failure of the expansion law in the spatial model. As 
a second contribution, we present a model-checker for the full logic and calcu- 
lus, and show that model-checking is decidable for a class of bounded processes 
that includes the finite-control 7r-calculus. The algorithm builds on the decidable 
characterization of =l, and its presentation is surprisingly compact: we believe 
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this to be a consequence of adopting a Pset-based semantic foundation [4], and 
permutation-based techniques [14,22]. 



1 The Process Model 



In this section, we briefly introduce the syntax and operational semantics of the 
synchronous rr-calculus. We adopt a version with guarded choice [20], but with 
recursion replacing replication. 

Definition 1.1 (Actions and Processes). Given infinite sets A of pure 
names {m,n,p) andx o/ process variables (X,y,Z), the sets A of actions {a, (3), 
M o/normal processes (A, T, U), V of processes {P, Q, R), and A o/ abstractions 
(F, G) are defined by 

a,j3 ::= m{n) \ m{n) N,T ::= a.P \ N + T 

F,G-.:= {n)P P,Q ::=0 \ N \ P\Q \ {vn)P \ X[n] \ {vecXn.P[p\ 

Each component of a choice A -|- T is a guarded process, that is, either an input 
process m{n).P or an output process m{n).P. In restriction (yn)P and input 
m{n).P the distinguished occurrence of the name n is binding, with scope the 
process P. The bound names bn(a) of an action a are given by bn{m{n)) = {n} 
and bn{m{n)) = 0. In a recursive process {rec X{n).P)[p], the distinguished 
occurrences of the variable X and names n are binding, with scope the process 
P. As usual, we require all free occurrences of A in P to be guarded, that is, 
they may only occur inside the continuation part Q of a guarded process a.Q in 
P. For any process P, we assume defined as usual the set fn{P) of free names 
of P, and the set fpv{P) of free process variables of P. A process is closed if it 
does not contain free occurrences of process variables, in general by “process” 
we mean “closed process”. 

Abstractions denote functions from names to processes, our basic use for ab- 
stractions is in the definition of substitutions for process variables. A substitution 
0 is a mapping assigning a name to each name in its finite domain S)(0), and an 
abstraction of the appropriate arity to each process variable in S(0). We write 
{n ^ m} (respectively {X ^ F}) for the singleton substitution of domain {n} 
(respectively {X}) that assigns m to n (respectively P to X). 

We assume defined the relation of a-congruence =a that identifies processes 
up to the safe renaming of bound names and bound process variables. For any 
process P and substitution 9 we denote by 9{P) the result of the safe ap- 
plication of 0 to P (using a-conversion as needed to avoid illegal capture of 
free variables). The action of substitutions on process variables is defined as 
expected, e.g., if 9{X) = {q)P then 9{X[rfi]) = P{q -e- m}. We abbreviate 
{X -e- {q){rec X{n).P)[(f\} by {X ^(rec A(n).P)}, and write P9 or P9 for 




76 



L. Caires 



Definition 1.2 (Observable Names). For every closed process P and i > 0 
we define 

ofn,{0) = 0 ofni{m{n).P) = {m} U (o/nj(P) \ {n}) 

ofn,{P\Q) = ofn^iP) U ofn^iQ) ofn,{N + T) = ofn^iN) U ofn,{T) 

ofn,{{m)P) = ofn^iP) \ {n} ofn^Hrec X{n).P[p]) = 0 

ofn,{m{n).P) = {m,n} U ofn^iP) o/n,+i((rec A’(n).P)[p]) = 

ofni{P{n<—p}{X <— {recX{fi).P} 

The set ofn{P) o/ observable names of P is defined by ofn{P) = Ui>o ofn,{P). 

N.B. For any P, the set ofn{P) is computable because the set of processes that, 
according to the definition of ofn^{—), are relevant to determine ofn{P) is finite 
up to =a and renaming of revealed bound names (arising in the cases for (yn)P 
and m{n).P). 

The notion of “observable name” is less syntactical than the one of “free 
name”, and more consistent with our intended structural model, where recur- 
sively defined processes are seen as certain infinite trees. For example, given P = 
{vecX{n).a{a).X[n])[p\, the name p is free in (the syntax of) P, but certainly 
not observable in the infinite process a{a).a{a). ■ ■ ■ that P denotes. The set of 
observable names of a process is preserved by unfolding of recursive processes, 
and thus also by structural congruence. This point is important, because struc- 
tural congruence plays a central role in the semantic of spatial formulas, and the 
logic should not distinguish processes that just differ on free but non-observable 
names. We can also verify that for all processes P, ofn{P) C fn{P). 

Structural congruence expresses basic identities on the structure of processes: 



Definition 1.3 (Structural congruence). Structural congruence = is the 
least congruence relation on processes such that 



P=^Q^P = Q 


(Struct Alpha) 


P|0 = P 


(Struct Par Void) 


P\Q = Q\P 


(Struct Par Comm) 


P\{Q\R) = {P\Q)\R 


(Struct Par Assoc) 


N + T = T + N 


(Struct Cho Comm) 


N+{T+U) = {N + T) + U 


(Struct Cho Assoc) 


n ^ ofn{P) => P\{irn)Q = (i'n){P\Q) 


(Struct Res Par) 


{iyn)0 = 0 


(Struct Res Void) 


{vn){vm)P = {vm){vn)P 


(Struct Res Comm) 


(recA’(n).P[p] = P{ri p}{X ^ (recA’(n).P} 


(Struct Rec Unfold) 



The behavior of processes is defined by a relation of reduction that captures the 
computations that a process may perform by itself. To observe the communica- 
tion flow between a process and its environment, we then introduce a relation 
of commitment. 
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T 


(True) 


iTlv 


A ^ 


r| = Ti' 


(Kquality) 


h = m]v 


= if n = m then T else 0 




(Negation) 


I-^lv 




AAS 


(Conjunction) 


lAASlv 


4[[A]vnplv 


0 


(Void) 


ttOlv 


= {RiP = 0} 


A |S 


(Composition) 


lA 1 £]v 


= {P\3Q,R.P = Q\R 








and Q G [A|v and R e p]v} 


r|®A 


(Revelation) 


|n®A]v 


^{P\3Q.P= {vn)Q and Q G [AL} 


Vjc.A 


(Name quantification) 


lVrA|v 


— nngA[d{v-f— n}]v 


l/]x.A 


(Fresh quantification) 


lMxA]v 


- U«^fn'(A)(IdA<-«}]v\{F 1 « e/«(A» 


a.A 


(Action) 


[aAjv 


{Pjgg.pA 2 and 2 gJA],} 


X 


(Propositional variable) 


CTv 


4 v(X) 


VX.A 


(Greatest fixpoint) 


Li J1 P 

IvX.A], 





Fig. 1. Syntax and Semantics of the Logic 



Definition 1.4 (Reduction). Reduction (P ^ Q ) is defined as follows: 



m{n).Q + N\m{p).P + T — >• Q\P{p ^ n} 
Q ^ Q' ^ P\Q P\Q' 

P ^ Q ^ {vn)P — >■ {vn)Q 
P = P',P' ^Q',Q' = Q^ P^Q 



(Red React) 
(Red Par) 
(Red Res) 
(Red Struct) 



Commitment coincides with the standard relation of labeled transition for the 
TT-calculus ([25]), except that “bound output” and “bound input” labels are 
omitted. It turns out that bound output and bound input can be expressed in 
the logic from more primitive observations. Thus, a labelling action is either r, 
an input m(n), or an output m{n). 

Definition 1.5 (Commitment). Commitment (P A- Q) is defined as follows: 

P ^ Q ^ P' ^ Q (Com Red) 

m,n ^p ^ {vp){m{n) .Q + iVjP) {vp){Q\P) (Com Output) 

m,n ^ p ^ {vp){m{q).Q + N\P)'^-^\vp){Q{q ^ n}|P) (Com Input) 

P = P', P' A Q' , Q' = Q ^ P Q (Com Struct) 



2 Logic 

In this section, we present the syntax and semantics of the logic, following closely 
the scheme of [4]; essentially, adjuncts are removed, and behavioral modalities 
added. Formulas {A, B, C) are built from pure names in A, name variables in V 
(x, y, z), and propositional variables in X {X, Y, Z) as defined in Fig. 1 (we use 
the metavariable p to denote a name or name variable). 
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The set of logical operators includes propositional, spatial, and temporal 
operators, first-order quantification, freshness quantification, and recursive for- 
mulas. Boolean connectives and name equality are interpreted in the standard 
way. The basic spatial connectives correspond to the static operators of the 
TT-calculus. The formula ^x.A denotes quantification over all names in A. The 
formula Mx.A expresses fresh name quantification: a process satisfies Mx.A if 
for some fresh (in the process and formula) name n, it satisfies A{x ^ n}. The 
formula a. A is satisfied by all processes that after performing action a can evolve 
to a process that satisfy A. 

In the formulas Mx.A, \^x.A, and vX.A the distinguished occurrences of x 
and X are binding, with scope the formula A. In a formula vX.A, we require A 
to be monotonic in X, that is, every free occurrence of the propositional variable 
X in A occurs under an even number of negations. The connectives V, 3, 
and ^X.A are definable as usual. 

The relation of a-congruence =a is defined on formulas in the standard way 
(safe renaming of bound variables). Given a formula A, the sets fn{A) of free 
names of A, fv{A) of free variables of A, and fpv{A) of free propositional vari- 
ables of A are defined also as expected. We assume defined on formulas the 
capture avoiding substitution of names/variables for names/ variables, and of 
propositional variables for formulas (written as usual, e.g., A{x -fr- n}, 0{A), 
A{X ^ B}). 

The semantics of formulas is given in a domain of Psets, following closely 
the approach of [4] . A Pset is a set of processes that is closed under = and has 
finite support. The support of a Pset is a finite set of names; intuitively, the set 
of names that are relevant for the property (c/., the free names of a formula). 
So a Pset is closed under transposition of names out of its support. Recall that 
a name permutation (p) is a bijective name substitution. As a special case, we 
consider name transpositions (r), writing {mon} for the transposition of m and 
n, that is, for the substitution that assigns m to n and n to m. For any finite 
set of names N, we say that a name permutation p fixes N if pin) = n for all 
n G N. We denote by Mat the set of all name permutations that fix N. 

Definition 2.1 (PSet [4]). A property set is a set of processes such that 

1. For all processes Q, if P G F and P = Q then Q G F. 

2. Exists a finite set of names N such that, for all n,m ^ N, if P G then 
P{nGGm} G 

We denote by P the collection of all Psets. The denotation of a formula A is given 
by a Pset ((A)) i,, with respect to a valuation n that assigns to each propositional 
variable free in the formula A a Pset in P, defined in Fig. 1. Every Pset <P gV has 
a least support [14,4], denoted by supp{'P). If A is a formula, and v a valuation 
for A, we define the set fn'^ {A) of free names of A under v by 

fn^iA) = fn{A) U [j{supp{v{X)) \ X G fpv{A)} 

Hence /n'^(A) is almost fn{A), except that we take fn{X) = supp{v{X)) for 
any X G fpv(A), so that fn'^(A) = fn(A) for any closed formula A. fn‘'{A) is 
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used in the semantic clause for the fresh name quantifier, where the selected 
quantification witness must be fresh for the property set denoted by a formula 
that may contain free occurrences of propositional variables. 

The denotation mapping |— ]i/ satisfies certain fundamental properties, col- 
lected in the next Proposition 2.2 and Proposition 2.3. In Proposition 2.2 we refer 
to transposition of Psets and valuations: if ^ is a Pset (supported by N), then 
r(<P) = {t{P) I P G <?} is also a Pset (supported by t{N)). We can also define 
the action of transpositions on valuations as follows: when j/ is a valuation, t(j^) 
is the valuation with the same domain as v and defined by = t{i^{X)), 

for all X G X in the domain of 

Proposition 2.2. Let A be a closed formula, and v a valuation for A. Then 

1. G P with supp{\A\i,) C fn"{A). 

2. For all transpositions t, r(|A]y) = |t(^)])t-(i,) . 

3. (Gabbay- Pitts) Let M be a finite set of names such that fn'^ {A)\Jfn{P) C M. 

If P G \A{x G- p}\i, for some p ^ M , then P G \A{x G- p}\i, for all p ^ M. 



Proposition 2.3. Let A be a formula monotonic in X and v a valuation for 
the formula vX.A. Let (p be the mapping P — >■ P defined by 0(s) = |A]„[x<-s]- 

1. (p is monotonic. 

2. (p has a greatest fixpoint (written vs.p{s) or Gfix{<p)) and = 

GFix{p) . 

3. For every T> Gf, G- vs.p{s) if and only if C p{h's.{<PLI (p{s))). 

Proposition 2.2 is proved as Theorem 4.2.1 in [4]. Proposition 2.3 collects some 
results about fixpoints that carry over to the domain of Psets; (3) is the “reduc- 
tion lemma” [26]. 

3 Expressiveness 

We have already discussed how spatial properties reflect an enhanced observa- 
tional power when compared with behavioral properties. However, spatial prop- 
erties are expected to be invariant under a natural notion of structural identity; 
in turn, structural identity is expected to be close to structural congruence [16, 
24]. For example, the processes m{n)\p{n) and m{n).p{n) +p{n).m{n) are equiv- 
alent with respect to the standard strong bisimulation semantics, but are distin- 
guished by the formula -'0|-i0, which holds of systems constructed from at least 
two separate non-void parallel components. Hence, these processes, although 
strongly bisimilar, are not logically equivalent: the logical equivalence relation 
=L induced by a logic on a set of processes is given by defining P =lQ whenever 
for any closed formula A, P G |H] if and only if Q G |H]. 

Conversely, the processes (recfh. n(m).A’) and {vecX .n{m) .n{m) .X) are 
strongly bisimilar, and in fact cannot be distinguished by any formula of the 
logic: both processes denote the same single-threaded behavior. However, they 
are not structurally congruent. In this section, we discuss the relation between 
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the equivalence induced by the logic and some process equivalences, and con- 
clude that logical equivalence is strictly coarser than structural congruence, and 
strictly finer that strong bisimulation. Logical equivalence can be equationally 
characterized by modularly extending structural congruence as defined in Def- 
inition 1.3 with two natural principles: we call extended structural congruence 
to the resulting congruence. Extended structural congruence is decidable, and 
plays a useful role in the model-checker presented in Section 4. 

Definition 3.1. Extended structural congruence =® is the least congruence re- 
lation on processes generated by the axioms of structural congruence in Defini- 
tion 1.3 and the following two axioms 

Xguarded in Q, P Q{X {q)P} ^ P {rec X (q) ,Q)[q] (Struct Rec Solve) 

a.P -\- a.P a.P (Struct Cho Abs) 

Our results about =® build on a characterization of in terms of structural 
bisimulations. Natural notions of structural bisimulation have been defined [24, 
16], following the usual coinductive pattern of progressive observation of process 
commitments. For our purposes we find it more convenient to define structural 
bisimulations on representations of processes based on finite systems of equa- 
tions. This choice supports a compact representation for structural bisimulations, 
and brings several technical simplifications. 

Definition 3.2. An equation (defining X) has the form X(n\ = P where X is 
a process variable, and P is a process. A system is a pair S = {X[fh],S) where 
X is a process variable (the root of S), and S is a finite set of equations, such 
that every process variable appearing in S is uniquely defined by some equation 
in S. 

The domain T){S) of a system S is the set of all process variables defined in 
S. We write na{S) for the set of names that occur in the equations of S. If S' is a 
set of equations and X\q] = Q G S,we denote by S(T)[p] the process Q{q G- p}. 
A system S is expanded if all of its equations have the general form 

X[m] = 

Since choice is associative and commutative, we denote by SiUi.Pi a choice 
a\.Pi -\- 1- a\.Pf. We can now define: 

Definition 3.3. Let Sp = (Ao,Sp) and Sq = (3^0j>5'q) be two expanded sys- 
tems, where M = na{Sp) U na{SQ). A structural bisimulation for Sp and Sq is 
a relation « such that 

1. {{X[n],y[ni]) \ X G S(Sp),3^ G T){SQ),rn,n names } and Xq « 3^o/ 

2. If X[p] « y[q] then there are m, N, T with rnC\ M = % and ffN = f(T, such 
that Sp{X)\p] = {vm)N , Sg(3^)[g] = {vrh)T, and for all i = 1, . . . , and 
a such that bn{a) ^ m U M: 

If Ni^X'\p'] for some X' ,p' then exists y' such that Ti-^y'[q'] and X'(p'] « 

y'W]; 

If Ti-%y'[q'\ for some y' , q' then exists X' such that Ni-%X'[p'\ and X'[p'] « 

y'W]- 
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|0|^ 


^{X[q],{X[q]=0}) 


\{^n)P\S 


= {X[q] = {vnm)R} U Sp) 

\P\Pr. = {y[qnlSp)_ 

Sp{y)[qn] = {vm)R, n G ofn{P) 


\{vn)P\S 


A (T[g],Sp), |P|A = (T®,Sp), n (f ofn{P) 


\P\Q\^ 


= {X\q\,{X\q\ = {vmn){R\S)} U Sp U Sq) 
|P|A = (T[g],Sp), Sp(T)[?] = {vn)R 
\Q\S = {Z[qlSQ), SQ{Z)[q] = {um)S 


\Zai.Pi\S 


A {X[q],{X[q] = Eiai.yfiqPi]} U U Sp,) 



\Pi\wi = {yiVlPi]^Sp^),Pi = bn{ai) 
|(recJi(g).P)[p]|^ ^ (A^[r], {A^[r] = 5(Ji)[rp]} U 5 ^ 3^) 

\P{y^iq)X[rq]}\^ = {y[rq],S) 

|y[p]i^ ={y[M 

Fig. 2. Systems from processes. 



In clause 2, N and T denote sequences of guarded processes, so that each Ni 
and Ti denotes a (possibly singleton) choice process, and we write for the 
length of the sequence N . We write S ~ S' to state that there is a structural 
bisimulation for S and S' . 

Definition 3.4. For any process P such that fn{P) C q\J N we define a system 
\P\^ as specified in Fig. 2. 

We denote by |P| the system = (Z,S). When constructing \P\^ we 

require N C\ q = 9 and, more generally, that the bound names introduced in 
the cases for restriction and input are distinct, and different from free names, 
using =a on P if needed. In the case for the recursive process, by S' 3^ we 
denote the set of equations obtained from S by applying the substitution {y ^ 
{Pq)S{y)[rq]} to every equation where y appears unguarded. We can then verify 
that, for any P, the system |P| is expanded, and unique up to the choice of bound 
names and process variables. 

Example 3.5. Let P = (rec3^.a(TO).(3^|6(m).0). Then /n(P) = {a, 6}, and: 

(1) \Z'\b{m).Q\m = (Zi[to],{Zi[to] = Z'\b{m).Z 2 ,Z 2 [m] = 0}; 

(2) ja(TO).(A’|&(m).O)|0 = {Z' , {Z' = a(m).Zi[m], Zi[m] = Z'\b{m) .Z 2 , Z 2 [m] = 

0 }); 

(3) |P| = (Zo,{Zq = a{m).Zi[m],Zi[m] = a{m').Zi[m']\b{m).Z 2 [m\,Z 2 [m] = 

0 ). 

A solution for the system S is an assignment of an abstraction {qi)Qi of ap- 
propriate arity to each process variable Xi in S(S) such that Qi =® Pi{Xi ^ 
(ft)Qi} • • • {A’n ^ {fin)Qn} for every equation Xfiqi] = Pi of S. We can prove 

Lemma 3.6. There is a solution s for |P|A = (X[q],S) with s{X) (q)P. 
Lemma 3.7. For all processes P and Q, if P =" Q then |P| « \Q\. 
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Proof. By induction on the derivation of P =® Q, and construction of appropriate 
structural bisimulations. 

Lemma 3.8. For all processes P and Q, if |P| « |Q| then P =® Q. 

Proof. From |P| « |(5| we build another system Z = (Zq,Z) such that |P| « 
Z Ki \Q\. Then we show that any solution s for Z gives rise to solutions for |P| 
and \Q\, such that P s{Zq) =® Q, and conclude by transitivity of =®. The 
proof follows the pattern of completeness proofs for equational characterizations 
of “rational trees” {e.g. [1]); but the need to cope with binding operators (with 
scope extrusion) and structural congruence raise some additional challenges. 

We thus conclude: 

Proposition 3.9. For all processes P and Q, |P| « \Q\ if and only if P Q. 

Moreover, since the existence of a structural bisimulation for |P| and |(5| just 
depends on the inspection of a number of pairs that is finite up to name permu- 
tations fixing na{\P\) U na{\Q\), we have: 

Lemma 3.10. For all processes P and Q, it is decidable to check P =® Q. 

A main result of this section is then the following property. 

Proposition 3.11. For all processes P and Q, P =lQ if and only if P =® Q. 

The proof makes essential use of the characterization of extended structural con- 
gruence in terms of structural bisimulation, and requires some build up, namely, 
the definition of (bounded) characteristic formulas. These formulas characterize 
processes up to a certain “depth”, modulo extended structural congruence. 

Definition 3.12 (Characteristic Formulas). Given a process P and k > 0, 

we define a formula [P]j, as specified in Fig. 3. 

N.B. When G is a multiset of guarded processes, we use the notation SG to 
denote the choice of the elements ofG, e.g., Z{a{p).P,a{q).Q,b{r).P} denotes 
the process a{p).P + a{q).Q + b{r) .P. 

Notice that [— ]j, is well-defined by induction on the pairs (k,s{P)) (ordered 
lexicographically), where s(P) is the number of process operators in P that do 
not occur behind a prefix. Intuitively, the formula 1 is satisfied precisely by non- 
void processes that cannot be split in two non-void parts, that is P satisfies 1 if 
and only if P is single-threaded. The formula NR is satisfied by those processes 
that do not contain a “true” restricted name at the toplevel, that is P satisfies 
NR if and only if for all n and P' such that P = {vn)P' it is always the case 
that n ^ ofn(P'). Recall that P satisfies ©n if and only if n G ofn{P). So, 
a process P satisfies GG if and only if P is structurally congruent to a choice 
process. The intent of the formula ActO-Q (respectively Actl-Q) is to characterize 
what output (respectively input) actions a choice process offers, while Out^ and 
Out’^ g (resp. In^ and /n* ^) characterize the effects of output (resp. input) 
actions. 

We can also define a notion of finite approximations to structural bisimula- 
tions, along standard lines, and write S S' if there is a structural bisimulation 
of depth k for S and S' . We then have 




Behavioral and Spatial Observations in a Logic for the 7r-Calculus 



83 



[P]o 4 T 

[0].+i ^ 0 

[P\Q]k+i =[Pk+il[2Wi 

[(v?)^]a:+i - H.r.(©A: A [P]*.+, {q^x}) if ^ e ofn(P) 

[(v<?)^"]i+l = [P]^:+i if 9 0 ofn{P) 

[ZG]^^j = GG AOut^AInl^AActlQAActOQ 

[{recX{q).P)[p]];^ ^ [P{q^p}{X^{rtcX{q).P)}]i^ 



NR = -ny^x.©x 
GG =1AA® 
©r| =^ri®T 
[a] .A = ^a.-iA 



- A^„),e6G("*<«)-l2k-^ 

^ Vm(„),egGl2k 

f«| - Am(<j),e€G(‘^-*-"»W-(l2k-{?<-4) A 

^”m©,G “ Vm(^),g€G l2k 

Acf% = MxNy. [x(3^)] . \J„(^yQ^GX = n 

AcIOg = VxNy. [x(j}] . \/^„yQ^Gi^ = nAy = m) 



Fig. 3. Construction of Bonnded Characteristic Formnlas 



Lemma 3.13. If S S' for all k >0, then S « S' . 

We can then show that our definition of bounded characteristic formulas is cor- 
rect, in the sense of the following Lemma: 

Lemma 3.14. For all k > 0 and processes P, Q we have 

1- P&l[P]k]- 

2. If Qe |[P]fc] then \P\ «fc |Q|. 

Proof. Induction on k. 

Lemma 3.15. For all processes P and Q, if P =l Q then P Q. 

Proof. Consider the formulas [P]j, for all k > 0. By Lemma 3.14(1), we have 
P G [[A'Jfcl, for all A: > 0. Since P =lQ, we have Q G for all fc > 0. By 

Lemma 3.14(2), we have |P| ~k \Q\, for all k > 0. By Lemma 3.13, |P| « |(5|. 
By Lemma 3.8, P Q. 

Lemma 3.16. For all processes P and Q, if P Q then P =lQ. 

Proof. We first prove, by induction on the structure of formulas, that satisfaction 
is closed under =e (c/.. Proposition 2.2(1)). The statement then follows. 

This concludes the proof of Proposition 3.11. Since the modalities introduced 
for early strong bisimulation in [21] are expressible in the logic, we also have 

Proposition 3.17. The equivalence relation induced by the logic on the set of 
all processes is strictly included in early strong bisimulation. 
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C{P,v,T) =true 
C{P,v,n = m) = Test{m = n) 

C{P,v,^A) =notC(F,v,A) 

C{P,v,AAB) = C{P, V, A) and C(P,v,B) 

C{P,v,Q) =Test{P = d) 

C(P,v,A I B) = Exists Q,R.{Q,R) £ Comp{P) andC{Q,v,A) andC(«,v,B) 
C(P,v,«®A) = Exists Q.QE Res{n,P) andC(2,v,A) 

C(P,v,aA) = Exists Q.QG Red{a,P) andC(2,v,A) 

C(P,v,\/x.A) = C{P,v,A{x-(^new{fii{P)\Jfs^{A))Y) and 
All« e/«(P) \Jfs'’{A).C{P,v,A{x^n}) 

C{P,v,\AxA) = C(P, v,A{jc-i— HeM'(/h(P) U/s''(A))}) 

c\p,v,X) = let {S,vXA) = v{X) in if In{P,v,X) then true elseC(P,v(X + P),A) 
C{P,v,vXA) ^ C(P,v[X^({P},vX.A)],A) 

In{P, v,X) = let (S,A) = v(X) in Exists 2 e *5 and Test{P Q) 



Fig. 4. Mo del- checking algorithm 



4 Model Checking 

In this section, we present a model-checking algorithm for the logic of Section 2. 
It is interesting to notice that the choice of a small set of logical primitives and 
the adoption of the Pset-based semantic foundation allows us to present in a 
rather succinct way a complete model-checker for a quite expressive 7r-calculus 
and logic. 

The algorithm is specified by the boolean- valued procedure C{P,v,A) de- 
fined in Figure 4. In every procedure call A), P is a process, A is a 

formula, and is a syntactic valuation, whose role is fully explained below. The 
boolean connectives are handled by the model-checker as expected. Spatial and 
behavioral connectives are handled by the set of auxiliary procedures Comp{—), 
Res{—, — ) and Red{—, — ) introduced in Lemma 4.1. The purpose of these algo- 
rithms is to decompose processes up to structural congruence, and compute the 
set of commitments a given process may present. 

Lemma 4.1. For any process P we have 

1. A finite set Comp{P) CPxP can he constructed such that: 

a) For all Q, R such that P = Q\R, there is {Q' , R') G Comp{P) such that 
Q = Q' and R= R' . 

b) For all {Q' ,R') G Comp{P) we have P = Q'\R'. 

2. For any name n a finite set Res{n, P) C AxV can be constructed such that: 

a) For all Q such that P = {vn)Q, there is Q' G Res{n,P) such that 

Q = Q'. 

b) If Q' G Res{n, P) then P = {vn)Q' . 

3. For any action a, a finite set Red{a, P) QV can he constructed such that: 

a) For all Q such that P Q, there is Q' G Red{a, P) such that Q = Q' . 

b) If Q & Red{a, P) then P Q. 
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N.B. We have Res{n,P) = 0 if and only if n G ofn{P). Similar results for 
calculi with replication (the 7r-calculus and the ambient calculus) have been 
presented in [13,10,8]. However, the property stated in Lemma 4.1(la) does not 
hold for process calculi with replication where the principle IP = P\IP holds 
(cf., [13]). 

The cases for the freshness quantifier and the universal quantifier requires 
the generation of fresh names. Instead of attempting to determine in advance a 
bound to the set of freshness witnesses for every process and formula to submit to 
the model-checker (c/., the bound output modality in the model-checker of [11]), 
we rely on Proposition 2.2(3), and in each case pick an arbitrary name out of the 
support (in the sense of Definition 2.1) of the denotation of the formula to be 
checked. By Proposition 2.2(1), we know that such support can be approximated 
by the set of free names of the formula to be checked, where we consider for the 
free names of a propositional variable the free names of the recursive formula 
that introduces its binding occurrence. To that end, we introduce the auxiliary 
function /s‘^(H), that computes (an approximation to) a support, given a formula 
A and a syntactic valuation v (defined below). Generation of fresh names can 
then be implemented by a choice function that assigns to every finite set of 
names M a name new{M) ^ M: any choice function meeting this specification is 
acceptable. In fact, no property of the model-checker {e.g., termination) requires 
fresh names to be generated according to some fixed strategy. 

Syntactic valuations are finitary counterparts to the (semantic) valuations 
defined in Section 2. A syntactic valuation is essentially a mapping that assigns 
to each propositional variable in its domain a pair (S', A), where S is a finite set 
of processes and A is a recursive formula. Intuitively, if u is a syntactic valuation 
and n{X) = (S, A) then S is a finite approximation to the denotation of the 
recursive formula A. 

Definition 4.2. A syntactic valuation v is a mapping from a finite sequence 
of propositional variables such that v{Xi) = (Si,vXi.Ai) for alii = 1 ,... ,n, 
where each Si is a finite set of processes, and each vXi.Ai is a formula with 
fpv{A,) C {Ai,... ,A,_i}. 

We say that v is a syntactic valuation for A if j/ is a syntactic valuation and 
®(j^) C fpv{A). We define for any syntactic valuation v for A the set 

/s"(A) A fn{A) U \ X G fpv{A) and j^(A) = (S, B)} 

of free names of A under v. When v is a, valuation, X ^ S(j^), S is a finite set 
of processes, and fpv{A) C 'D{n) we write i^[A^(S, A)] for the extension (not 
the update) of v with the additional binding [A^(S, A)]. We use the notation 
v{X + P) to denote the valuation that results from v by adding the process P 
to the set-valued component of n{X), e.g., if is the valuation ■u;[A^(S', A)]ru' 
then i>{X + P) is the valuation w[A^(S' U {P}, A)]w' . 

The algorithm handles fixpoint formulas by appealing to Winskel-Kozen’s 
reduction lemma (Proposition 2.3(3)). The reduction lemma suggests a progres- 
sive unfolding strategy for recursive formulas used in many model-checkers for 
/x-calculus based process logics. However, a main technical difference between 
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the treatment of fixpoints in our algorithm and other proposals concerns the 
interaction of spatial decomposition of restricted processes, fresh name genera- 
tion, and recursion. Here, we compute an approximation to the finite support of 
the denotation of a fixpoint formula (given by fs'^{A)), and use this information 
to stop unfolding it, relying on the fact that if a process P belongs to a Pset 
'P with supp{P) C M, then p{P) G P for all permutations p that fix M. This 
approach seem conceptually simpler than other proposals for coping with fresh 
name generation in model-checkers for 7r-calculus logics {e.g. [11]), and allows 
us to keep the description of the algorithm more abstract, and the correctness 
proofs simpler. 

Definition 4.3. Given a finite set of names M C A, we define the relation 
=%j on processes by letting P Q if and only if there is p & Km such that 
p{P) =- Q. 

Since for given P and Q, the number of permutations to test is finite, by 
Lemma 3.10 we conclude that checking P Q is decidable. The purpose 
of the boolean procedure In{P, v, X) at the bottom of Fig. 4 is then to check for 
the presence of a representative of the equivalence class of P in P/ in the 
current approximation to the denotation of the fixpoint formula that introduced 
the propositional variable X. By Propositions 2.2(2) and 3.9 and our character- 
isation of =L in terms of (Proposition 3.11), we know that Q P implies 
that Q G if and only if P G Notice also that /s'^(H) is only used 

in the procedure In{—, — , — ), in the test for P Q. 

In the remainder of this section we establish correctness results for our model- 
checker. We start by introducing some auxiliary concepts. For any set of pro- 
cesses S and finite set of names N, we can define a Pset Close{S,N) G P by 
Close{S, N) = {Q I Q =® r(P), r G Kjv and P G S}. Notice that Close{S, N) 
contains S and is supported by N. Now, for every syntactic valuation v, we 
define a (semantic) valuation ly* as follows: 

Definition 4.4. Given a syntactic valuation v, we define a valuation v* as fol- 
lows: 

0 * ^0 <P ^Gfix{Xs.S*UlAU[x^,]) 

w[X^{S, nX.A)]* ^ w*[X^P] S* = Close{SJs''{vX.A)) 



Proposition 4.5 (Soundness). For every P, formula A and syntactic val- 
uation V for A we have: (a) If C{P,v,A) = true then P G {{A)),^*. (b) If 
C{P,v,A) = false then P ^ . 

We now show completeness of the model-checking algorithm. To obtain decid- 
ability we need to impose some finiteness conditions: we restrict model-checking 
to a class of bounded processes. Intuitively, a process is bounded if the set of pro- 
cesses reachable after an arbitrary sequence of spatial or behavioral observations 
if finite up to finitely supported name permutations. Completeness then results 
from the fact that our model-checker always terminates on bounded processes. 
We first define reachability: 




Behavioral and Spatial Observations in a Logic for the 7r-Calculus 



87 



Definition 4.6 (Reachability). For every P we define the set Reach{P) as 
follows: 

P G Reach{P) 

P' G Reach{P), (Q,R) G Comp{P') ^ Q G Reach(P), R G Reach{P) 

P' G Reach{P), Exists n. Q G Res{n, P') ^ Q G Reach(P) 

P' G Reach{p), Exists a. Q G Red{a,P') Q G Reach(P) 

Definition 4.7 (Bounded process). A process P is bounded if for every finite 
set of names M the set (of equivalence classes) Reach{P)/=M is finite. 

Proposition 4.8 (Completeness). If Q is bounded and Q G |A] then 
C(Q, 0, A) = true. 

Therefore, after noticing that all tests in the model-checking procedure are decid- 
able, and that the number and structure of recursive calls associated to each call 
of the model-checking algorithm is finite and decidable in all cases, we conclude 



Corollary 4.9. Model-checking of bounded processes is decidable. 

Due to spatial reachability, the fact that a process always terminates is not 
enough to ensure its boundedness: a deadlocked process may contain compo- 
nents which are not bounded when considered in isolation, e.g., the process 
{vn){vecX .n{n) .{X\X)) is not bounded in the sense of Definition 4.7. However, 
we can verify that the class of bounded processes includes the class of finite- 
control processes as defined in [11]. 

Proposition 4.10. Any finite- control process is bounded. 



5 Related Work and Conclusions 

We have proposed and studied a logic for the synchronous 7r-calculus, organized 
around a small set of spatial and behavioral observations, and including freshness 
quantifiers and recursive formulas. This logic subsumes existing behavioral logics 
for TT-calculi [21,12], and can be seen as a fragment of the spatial logic of [4, 
3] (in the sense that action modalities can be expressed with the composition 
adjunct [17]). The semantic foundation for the logic and model-checker presented 
here builds on the approach developed by Cardelli and the present author in [4] , 
which is in turn based on domains of finitely supported sets of processes and the 
theory of freshness by Gabbay and Pitts [14]. 

We have investigated the separation power of the logic, providing sound and 
complete characterizations of the equivalence (actually the congruence) induced 
by the logic on processes. These results build on the definition of bounded char- 
acteristic formulas for processes, and on some technical results about solutions of 
equations on 7r-calculus processes up to extended structural congruence. Expres- 
siveness and separation results for spatial logics for the public ambient calculus 
have already been investigated by Sangiorgi, Lozes and Hirshckoff [24,16]. 




L. Caires 



We have also presented a model-checker for the logic, and have shown that 
model-checking is decidable on a class of bounded processes, that includes the 
finite-control fragment of the 7r-calculus. Model-checking the 7r-calculus against 
behavioral logics was studied extensively by Dam [11,12]. Most of the existing 
work on model-checking for spatial logics focus on the ambient logic, after the 
first proposal of [6]. The work of Charatonik, Gordon and Talbot on model- 
checking the Ambient logic against finite-control mobile ambients [8] (where, 
like done here for the 7r-calculus, replication is replaced by recursion) seems to 
be the most related to ours, although it does not address a spatial logic with 
recursive formulas and with freshness quantifiers. 
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1 Introduction 

The point of departure and the motivation for this paper are the results of 
Angluin [1] which has introduced a tool to analyze the election algorithm: the 
coverings, Yamashita and Kameda [21] and Mazurkiewicz [15] which have ob- 
tained characterizations of graphs in which election is possible under two dif- 
ferent models of distributed computations. Our aim is twofold. First it is to 
obtain characterizations of graphs in which election is possible under intermedi- 
ate models between the models of Yamashita-Kameda and of Mazurkiewicz. Our 
second aim is to understand the implications of the models for the borderline 
between positive and negative results for distributed computations. In this work, 
characterizations are obtained under three different models. 



1.1 The Model 

We consider networks of processors with arbitrary topology. A network is rep- 
resented as a connected, undirected graph where vertices denote processors and 
edges denote direct communication links. Labels are attached to vertices and 
edges. The identities of the vertices, a distinguished vertex, the number of pro- 
cessors, the diameter of the graph or the topology are examples of labels attached 
to vertices; weights, marks that encode a spanning tree or the sense of direction 
are examples of labels attached to edges. 

At each step of computation labels are modified on exactly one edge and its 
endvertices of the given graph, according to certain rules depending on the label 
of this edge and the labels of its endvertices only. Thus rules are of the form: 

^ X Y z X' Y' z' 

R, : o o — ^ o o 

Such local computations are called local computations on closed edges in this 
paper. The relabelling is performed until no more transformation is possible, i.e., 
until a normal form is obtained. 
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1.2 The Election Problem 

The election problem is one of the paradigms of the theory of distributed com- 
puting. It was first posed by LeLann [10]. Considering a network of processors, 
the election problem is to arrive at a configuration where exactly one proces- 
sor is in the state elected and all other processors are in the state non- elected. 
The elected vertex is used to make decisions, to centralize or to broadcast some 
information. 

Known Results about the Election Problem. Graphs where election is 
possible were already studied, the algorithms usually involved some particular 
knowledge and some particular basic computation steps. Solving the problem 
for different knowledge has been investigated for some particular cases (see [2, 
12,19] for details) including : the network is known to be a tree, the network is 
known to be complete, the network is known to be a grid or a torus, the nodes 
have different identification numbers, the network is known to be a ring and has 
a known prime number of vertices. Characterizations of graphs where election is 
possible have been given under two models of computations. 

— In [21], Yamashita and Kameda consider the following asynchronous model. 
In each step, a vertex, depending on its current label, either changes its label, 
sends a message via one of its ports, or receives a message via a port. The 
topology of the graph is assumed to be known. They proved that, knowing 
the topology or the size of the network, there exists an election algorithm for 
G if and only if the symmetricity of G is equal to 1 (where the symmetricity 
depends on the number of labelled trees isomorph to a certain tree associated 
to G) ([21], Theorem 1 p. 75). 

— In [15], Mazurkiewicz considers the following asynchronous model. In each 
step, labels are modified on a subgraph consisting of a node and its neigh- 
bours, according to certain rules depending on this subgraph only. He proves 
that, given a graph G, there exists an election algorithm for G if and only if 
G is minimal for the covering relation (a graph is a covering of a graph 
K if there exists a surjective morphism tp from H onto K which maps bijec- 
tively the neighbours of any vertex v onto the neighbours of p{v)] a graph H 
is minimal if whenever H covers a graph K then H and K are isomorphic.). 



1.3 The Main Results 

We recall that at each step of computation, labels are modified on exactly two 
vertices linked by an edge and on this edge of the given graph, according to 
certain rules depending on the labels of this edge and on the labels of the two 
vertices only. Under this hypothesis, we give a characterization of graphs for 
which there exists an election algorithm. More precisely, we prove that, given 
a simple graph G (graph without self-loop or multiple edges) there exists an 
election algorithm for G if and only if G is minimal for the covering relation. 
Where the notion of covering is a generalization of the previous one. First we 
consider multigraphs: graphs having possibly multiple edges without self-loops. 
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For this class of graphs, a graph H is a, covering of a graph K if there exists 
a surjective morphism ip from H onto K such that, for every vertex v, the 
restriction of ip to the set of edges incident to is a bijection between this set 
of edges and the set of edges incident to (p{v). 

This condition is not equivalent to the condition of Mazur kiewicz. If we 
consider the ring with 4 vertices, denoted i? 4 , then it is minimal for the first 
notion of covering but it is not minimal for the generalization. Indeed, for the 
generalization it covers the graph H defined by 2 vertices having a double edge 
(see Fig.l). 



R,4 



♦ f 



4 * 




Fig. 1. The graph R 4 covers the graph H. 



Thus there exists an election algorithm for R 4 in the model of Mazurkiewicz 
and there does not exist an election algorithm for R 4 in the model studied in 
this paper. 

In fact, the Mazurkiewicz algorithm is a distributed enumeration algorithm: 
it is a distributed algorithm such that the result of any computation, in a graph G 
minimal for the covering relation, is a labelling of the vertices that is a bijection 
from I^(G) to {1, 2, . . . ,\V (G)|}. For a given graph G, the election problem and 
the enumeration problem with termination detection are equivalent in the model 
of Mazurkiewicz; we prove that under the same hypothesis the two problems are 
also equivalent in the model studied in this paper. This property is no more true 
if we have no information on the graph like the size or the topology. 

In the second part of this paper, we consider the following model of com- 
putation: at each step of computation labels are modified on exactly one edge 
and one endvertex of this edge of the given graph, according to certain rules 
depending on the label of this edge and the labels of its endvertices only (local 
computations on open edges) . Thus the form of the rules is: 

^ X Y Z X' Y' Z 

R : o o — ^ o o 

We prove that this model is equivalent to the model studied in the first part 
by using a simulation algorithm. Thus we obtain also a characterization of graphs 
where election is possible. This result is not immediate: for example, using the 
first model, it is easy to give a name to each edge of a given graph such that 
for a given vertex v, all the edges incident to v have a different name; if we do 
not use the simulation algorithm this result is not trivial in the context of the 
second model. Finally, we extend the characterization concerning the election to 
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the model where at each step of computation labels are modified on a subgraph 
consisting of a node and the incident edges, according to certain rules depending 
on the vertex, the incident edges and the endvertices (local computations on 
open star graphs). The end of the paper proves that models using labels on 
edges are strictly stronger than models without labels on edges. 



1.4 Related Works and Results 

In [21] the election problem is studied under other initial knowledges: the size of 
the graph, an upper bound of the number of vertices; in some cases multigraphs 
are necessary. In addition of the works of [1,15,21,22] and [20,23], one can cite 
the results of Boldi and Vigna who use directed graphs [4,3, 5, 6]. They consider 
directed graphs coloured on their arcs. Each vertex changes its state depending 
on its previous state and on the states of its in-neighbours; activation of pro- 
cessors may be synchronous, asynchronous or interleaved. A generalization of 
coverings, called fibrations, is studied and properties which found applications 
in the distributed computing setting are emphasized. In [7,16,9,8] the model of 
Mazurkiewicz is considered and a characterization of families of graphs in which 
election is possible is given; in [8] characterizations of recognizable classes of 
graphs by means of local computations are given. 



2 Basic Notions and Notation 

2.1 Graphs, Labelled Graphs, and Coverings 

The notations used here are essentially standard [18]. We consider finite, undi- 
rected, connected graphs without self-loop having possibly multiple edges. If 
G = (E(G), E(G),Ends) is a graph, then V{G) denotes the set of vertices, E{G) 
denotes the set of edges and Ends denotes a map assigning to every edge two 
vertices: its ends. Two vertices u and v are said to be adjacent or neighbours 
if there exists an edge e such that Ends(e) = {u,v}. In this paper, graphs may 
have several edges between the same two vertices; such edges are called multiple 
edges. A simple graph G = {V{G),E{G)) is a graph with no self-loop or multi- 
ple edges: E{G) can be seen as a set of pairs of V{G). Let e be an edge, if the 
vertex v belongs to Ends(e) then we say that e is incident to v. The set of all 
the edges of G incident with v is denoted Ig{v)- The set of neighbours of v in 
G, denoted Ng{v), is the set of all vertices of G adjacent to v. For a vertex v, 
we denote by Bg{v) the ball of radius 1 with center v, that is the graph with 
vertices Ng{v) U { u } and edges Ig{v). For an edge e, we denote Ac(e) the single 
edge graph (Ends(e), {e}); we call closed edge an edge with the two endvertices, 
if we consider the edge with only one end vertex it is an open edge. 

Throughout the paper we will consider graphs where vertices and edges are 
labelled with labels from a recursive alphabet L. A graph labelled over L will be 
denoted by (G, A), where G is a graph and A : E(G) U if (G) — >■ L is the labelling 
function. The graph G is called the underlying graph and the mapping A is a 
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labelling of G. For a labelled graph (G, A), lab{{G,X)) is the set of labels that 
occur in (G, A). The class of labelled graphs over some fixed alphabet L will be 
denoted by Ql. Let (G, A) and (G',A') be two labelled graphs. Then (G, A) is a 
subgraph of (G', A'), denoted by (G, A) C (G', A'), if G is a subgraph of G' and 
A is the restriction of the labelling A' to V{G) U E{G). 

Labelled graphs will be designated by bold letters like G, H, . . . If G is a 
labelled graph, then G denotes the underlying graph. 



2.2 Coverings 

We say that a graph G is a covering of a graph H via 7 if 7 is a surjective homo- 
morphism from G onto H such that for every vertex v of ^(G) the restriction of 
7 to Ig{v) is a bijection onto Ih{i{v))- The covering is proper if G and H are 
not isomorphic. 

The notion of covering extends to labelled graphs in an obvious way. The 
labelled graph {H, is covered by (G, A) via 7, if 7 is a homomorphism from 
(G, A) to {H, A') such that for every vertex v oiV (G) the restriction of 7 to Ig{v) 
is a bijection onto Ih{i{v))- Note that a graph covering is exactly a covering in 
the classical sense of algebraic topology, see [13]. 

Remark 1. We use a different definition for coverings than Angluin’s one. In 
fact, if we consider only simple graphs these two definitions are equivalent. For 
Angluin, {H, A') is covered by (G, A) via 7, if 7 is a homomorphism from (G, A) 
to (iL, A') such that for every vertex v of V(G) the restriction of 7 to Ng(v) is 
a bijection onto Nh('j(v)). Given a simple graph G, for each vertex u G V{G), 
there is a natural bijection between Ig{u) and Ng{u) and therefore it is easy to 
see the equivalence. 

We work with graphs that can have multiple edges and in this case the two 
definitions are not equivalent. Consider the graphs G and H from Fig. 2, if we 
consider the morphism ip defined from G to by the letters a, 6, a, j3, we easily 
see that G is a covering of H. But if we use Angluin’s definition of covering, G is 
not a covering of H since for each u G G, |Nc(u)| = 2, whereas for each v G H, 
= 1 . 

A graph G is called minimal if every covering from G to some H is a bijection. 
A simple graph G is called S -minimal if every covering G to some simple graph 
H is a bijection. The graphs G' and H from Fig. 2 are minimal graphs, whereas 
G is a proper covering of H and therefore G is not minimal. Moreover, G or G' 
are not a proper covering of any simple graph: G and G' are 5-minimal. 

We have the following basic property of coverings [17]: 

Lemma 1. For every covering 7 from G to H there exists an integer q such 
that card{'^~^ {v)) = q, for all v G V{H). 

The integer q in the previous lemma is called the number of sheets of the 
covering. We also refer to 7 as a q-sheeted covering. 
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a 




b 



Fig. 2. First Examples. 



Lemma 2 . Let G be a covering of H via 7 and let 61,62 € E{G) he such 
that 61 ^ 62. If 7(61) = 7(62) then Ac{ei) fl ^(5(62) = 0 , i.e., Ends{ei)C\ 
Ends{e2) = 0 - 



3 Local Computations on Closed Edges 

In this section we give the definition of local computations on closed edges and 
their relation with coverings. They model networks of processors of arbitrary 
topology. The network is represented as a connected, undirected graph where 
vertices denote processors and edges denote direct communication links. Labels 
(or states) are attached to vertices and edges. Local computations as consid- 
ered here can be described in the following general framework. Let Ql be the 
class of L-labelled graphs and let 7 ?. C x be a binary relation on Ql- 
Then TZ is called a graph rewriting relation. We assume that TZ is closed un- 
der isomorphism, i.e., ii G TZ G' and H ~ G then H TZ H' for some labelled 
graph H' ~ G'. In the remainder of the paper TZ* stands for the reflexive- 
transitive closure of TZ . The labelled graph G is TZ-irreducihle (or just ir- 
reducible if TZ is fixed) if there is no G' such that G TZ G' . For G G Ql, 
IrredT^(G) denotes the set of 7 ?.-irreducible graphs obtained from G using TZ, 
i.e., IrredT^(G) = {H | G 7 ^* H and H is 7 ?.-irreducible}. 

Definition 1. Let TZ C Ql x Ql be a graph rewriting relation. 
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1. TZ is a relabelling relation if whenever two labelled graphs are in relation 
then the underlying graphs are equal, i.e.: 

GTZ'R implies that G = H. 

2. TZ is local on closed edges if it can only modify an edge and its endvertices, 
i.e., (G, A) TZ (G, A') implies that there exists an edge e € E{G) such that 

\{x) = X'{x) for every x ^ Ends{e) U {e}. 

The labelled single edge graph (Ac(e), A) is a support of the relabelling relation. 

The next definition states that a local relabelling relation TZ is locally gener- 
ated on closed edges if the applicability of any relabelling depends only on the 
single edge subgraphs. 

Definition 2. Let TZ be a relabelling relation. Then TZ is locally generated on 
closed edges if it is local on closed edges and the following is satisfied: For all 
labelled graphs (G, A), (G, A'), {H,rf), {H,rj') and all edges e G E{G), f G E{H) 
such that the Ac{e) and A^if) are isomorphic via ip\ V {Ac{e))\J E{AQ{e)) — > 
V{A[j{f))^ E{A[j{f)), the following three conditions: 

1. A(x) = rj{ip{x)) and A'(x) = p'((p(x)) for all x G V^Acie)) U E^Acie)) 

2. \{x) = A'(a;), for all x ^ V{Ac{e)) U E(Ac(e)) 

3. r]{x) = g'{x), for all x ^ ViAnlf)) U E{AH{f)) 

imply that (G, A) TZ (G, A') if and only if {H, rf) TZ {H, rf). 

By definition, local computations on closed edges on graphs are computa- 
tions on graphs corresponding to locally generated relabelling relations on closed 
edges. 

We now present the fundamental lemma connecting coverings and locally 
generated relabelling relations on closed edges [1]. It states that, whenever G is 
a covering of H, every relabelling step in H can be lifted to a relabelling sequence 
in G, which is compatible with the covering relation. 

Lemma 3 (Lifting Lemma). Let TZ be a locally generated relabelling relation 
on closed edges and let G be a covering o/H via 7 . //H TZ* H' then there exists 
G' such that G TZ* G' and G' is a covering of H' via 7 . 



4 Election and Enumeration 

The main result of this part is that for every graph G, there exists an election al- 
gorithm using local computations on closed edges on G if and only if there exists 
an enumeration algorithm with termination detection using local computations 
on closed edges on G. 
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4.1 Definitions 

A distributed election algorithm on a graph G is a distributed algorithm such 
that the result of any computation is a labelling of the vertices such that exactly 
one vertex has the label elected and all other vertices have the label non-elected. 
The labels elected and non-elected are terminal, i.e., when they appear on a 
vertex they remain until the end of the computation. A distributed enumera- 
tion algorithm on a graph G is a distributed algorithm such that the result of 
any computation is a labelling of the vertices that is a bijection from V{G) to 
{1, 2, . . . , |17(G)|}. It is easy to see that if we have an enumeration algorithm on 
a graph G where vertices can detect whether the algorithm has terminated, we 
have an election algorithm on G by electing the vertex labelled by 1. 

4.2 Impossibility Results 

Using the same method as in the Lifting Lemma [1], we obtain: 

Proposition 1. Let G be a labelled graph which is not minimal, there is no 
enumeration algorithm for G. 

Consequently, there is no election algorithm for a graph G, if G is not minimal. 
Otherwise, we could find an enumeration algorithm for G, as it will be shown 
in the next section. Furthermore, we can prove that: 

Proposition 2. Given a graph G, there is an algorithm using local computa- 
tions on closed edges that solves the election problem on G if and only if there 
is an algorithm using local computations on closed edges that solves the enumer- 
ation problem with detection termination on G. 

5 An Enumeration Algorithm 

In this section, we describe an algorithm Ai using local computations on closed 
edges that solve the enumeration problem on a minimal graph G. This algorithm 
uses some ideas developed in [15]. Each vertex v attempts to get its own number 
between 1 and |U(G) | . A vertex chooses a number and broadcasts it with its label 
and its labelled neighbourhood all over the network. If a vertex u discovers the 
existence of another vertex v with the same number, then it compares its local 
view, i.e., the labels and numbers of its neighbours, with the local view of v. If 
the label of u or the local view of u is “weaker” , then u chooses another number 
and broadcasts it again with its local view. At the end of the computation, every 
vertex will have a unique number if the graph is covering-minimal. 



5.1 Labels 

Let G = (G, A) and consider a vertex vq G G, and the set {ei, . . . , e^} of edges 
that are incident to vq. 
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For each edge e G E{G) such that Ends(e) = {wi,f 2 }, a number p{e) will be 
associated to e such that for each e' € Ici'Vi) U Ig{v 2 ), p{e) ^ p{e'). The label 
of an edge e is the pair (A(e),p(e)) and the initial labelling is (A(e), 0). 

For each vertex v £ V(G), the label of v is the pair {\{v),c{v)) where c{v) 
is a triple {n{v),N(v), M{v)) representing the following information obtained 
during the computation (formal definitions are given below): 

- n{v) G N is the number of the vertex v computed by the algorithm; 

~ N{v) G Af is the local view of v, and it is a set defined by: 

{(p(e), A(e),n(w'), A(u')) | e G Ig{v), Ends(e) = {w,w'} and p(e) yf 0}; 

- M{v) C L X N X Af is the mailbox of v and contains the whole information 
received by v at any step of the computation. 

The initial labelling of any vertex v is (A(r:), (0,0,0)). 

5.2 An Order on Local Views 

The fundamental property of the algorithm is based on a total order on local 
views, as defined in [15], such that the local view of any vertex cannot decrease 
during the computation. We assume for the rest of this paper that the set of 
labels L is totally ordered by <l . Consider a vertex v such that the local view 
N{v) is the set {(p(ei), A(ei), n{vi), A(ui)), (p(c 2 ), A(c 2 ), n(v 2 ), A(?; 2 )), 
(p(cd), A(cd), n{vd), \{vd))}, we assume that: 

- p{ei) > p{e 2 ) > > p{ed), 

- ifp(ei) =p(e*+i) then A(e*) >l A(ej+i), 

- ifp(ci) =p(e*+i) and A(e*) = A(e*+i) then n(vi) > n(vi+i) 

- if p(e*) = p(e*+i), A(ci) = A(e*+i) and n(vi) = n(uj+i) then X(vi) >l 
A(vi+i). 

Let A/> be the set of all such ordered tuples. We define a total order ^ on A/> 
by comparing the numbers, then the vertex labels and finally the edge labels. 
Formally, for two elements 

((pi,ei,m,;i), ..., {pd,ed,nd,ld)) a.nd{{p[,e[,n[,l[), {p'd, , e'd> , n'd> Jd^) 
of A/> we define 

( (Pl 7 ^1)7 ■■■7 {Pd^ Cf/, rid ^ Id)) ^ ( (Pl 7 ^17^17^1)7 ■•■7 ijPd' 7 ^d' 7 ^d' ^ ^d') 

if there exists i such that (pi, ei, ni, ?i) = 

{p[,e[,n[,l[),...,{pi-i,ei-i,n^-i,k-i) = (p'_i,e'_i, n'_i,;'_i) and such 

that one of the following holds 

1- Pt <p'i, 

2. Pi = Pi and e* < e', 

3. Pi = p'i, Ci = e'i and n* < n'i, 

4. Pi = p', a = e'i and n* = n' and k = I'i, 

5. i = d+1 and d < d' . 

If N{u) -< N{v), then we say that the local view N{v) of v is stronger than 
the one of u and that N{u) is weaker than N{v). The order ^ is a total order 
on Af = A/> U {0}, with, by definition, 0 ^ A for every N G A/>. 
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5.3 Relabelling Rules 



We now describe the five relabelling rules; the rules A^2 and Ais are very close 
from the rules of the Mazurkiewicz algorithm. The first rule gives a name to each 
edge : two neighbours v and v' incident to a common edge e such that p{e) = 0 
choose a value for p{e) such that each node does not have two incident edges 
with the same label. This rule can only be applied once to each edge, since once 
an edge e has a number p{e), this number does not change any more. 

Ml : 

{h,{ni,Ni,Mi)) ,, (^2, (n-2, fV2, M2)) 



{h,{ni,N[,Mi)) 

o 



i 

(}eiP) 



{I2, (u- 2 , N2, M2)) 



with p = 1 + max{p'; {p', l'^, n', I') £ NiU N2} 

Ni=N[U{{p,k,0,l2)} 

N'=N^U{{p,k, 0 ,h)} 

M[ = MiU{{h,ni,N[)} 

M2 = M2 U {(^ 2 , tl 2 , .^2)} 



The second rule enables two neighbours v and v' having different mailboxes 
to share the information they have about the labels present in the graphs. 

M2 : 



{li, {ni,Ni, Ml)) 






{I2, (n-2, N2, M2)) 

o 

{h, {1^2, N2, M')) 



if p > 0 and Mi yf M2 
with M' = Ml U M2 

The third rule enables a vertex v to change its number if n(y) = 0 or if there 
exists a vertex v' such that n{v) = n{v') and v has a weaker local view than v' . 
Ms : 

{l,in,N,M)) {l,{k,N,M')) 

o o 

if n = 0 or 3(n, Iq, Nq) £ M such that I <l lo or I = Iq and N ^ Nq 
with k = 1 + max{ni; {li,rii,Ni) £ M} 

M' = M\j{{l,k,N)} 

The fourth rule enables a node having a neighbour with exactly the same 
label to change its number. If this rule can be applied, it means that the two 
vertices have never exchange their number along this edge. 
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M4 : 

(l,(n, N,M)) 



{l,{n,N,M)) 









if p > 0 and n > 0 

with k = 1 + max{ni; (Zi, ni, iVi) G M} 

^1 = N\{{p,le,0,l)}'J{{p,le,n,l)} 

N 2 = N\{{p,le,0,l)}^{{p,le,k,l)} 

M' = MU{{l,k,Ni),{l,n,N 2 )} 



The fifth rule enables a vertex v to get information about the number of a 
neighbour v' , either because v has no information about n(v'), or because n(v') 
has changed since v got information about n(v'). 

Ms : 



(li, (ni, M)) 
o 



Ge,P) 



(h, (n2, N 2 , M)) 






{l2,{n2,N^,M')) 



if p > 0, ni > 0, rz2 > 0, ni ^ U2 

{pje,i,k) G Ni,{p,le,j,h) G N 2 
and i ^ U 2 or j ^ rii 

with N[= Ni\ {{pje^iyh)} U {{pje,n2,l2)} 

N^= N 2 \ {(p, le,j,h)} u {(p, le,ni,h)} 

M' = MU{{h,nuN[),{l2,n2,N^)} 



For each run of this algorithm on a minimal graph G each vertex has a unique 
number. Finally: 

Theorem 1. For every graph G, there exists an enumeration algorithm with 
termination detection on G and an election algorithm on G using local compu- 
tations on closed edges if and only if G is a minimal graph. 

6 Two Other Models of Local Computations 

We consider now a different kind of local computations: we still consider locally 
generated relabelling relations, but during a relabelling step, the label of only 
one vertex and an incident edge can be modified, i.e., the form of the rules is : 

^ X Y Z X' Y' Z 

K : o o — ^ o o 

To make a distinction between this model and the former one, we will say that 
model describe local computations on open edges. Since local computations on 
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open edges are also local computations on closed edges, each algorithm using 
local computations on open edges is also an algorithm using local computations 
on closed edges. We wonder if the power of computation of this new model is 
weaker or is the same as the precedent one. In fact, by a non trivial proof we 
have: 

Proposition 3. Given a problem P and a graph G, there exists an algorithm 
using local computations on closed edges on G with termination detection if and 
only if there exists an algorithm using local computations on open edges that 
solves P on G with termination detection. 

We have already given a characterization of graphs in which we can solve the 
election problem and the enumeration problem with termination detection and 
we can therefore give the following corollary: 

Corollary 1. For every graph G, there exists an enumeration algorithm with 
termination detection on G and an election algorithm on G using local compu- 
tations on open edges if and only if G is a minimal graph. 

We now consider a model of local computations such that at each computa- 
tion step, a vertex looks at the labels of its neighbours and its incident edges 
and modify its label and the labels of its incident edges. We say that at each 
step a star graph is relabelled and we talk about local computations on open 
star graphs. The relabelling rule are therefore triples (5, A, A') such that S' is a 
star graph whose center is a node vq and A, A' are two labellings of S such that 
for every node v G V{G) \ {wo}, ^{v) = ^'{v). 

Theorem 2. For every graph G, there exists an enumeration algorithm with 
termination detection on G and an election algorithm on G using local compu- 
tations on open star graphs if and only if G is a minimal graph. 

7 Is It Important to Have Labels on Edges ? 

The power of the model of Mazurkiewicz does not change if we consider edges 
with or without labels. 

In our models, we have considered labelled graphs such that the edges can 
have labels and this property has been used to describe the different algorithms 
we present. We wonder if the results remain true when we consider models where 
the edges cannot be labelled. We will present a minimal graph in which we cannot 
find an election algorithm using local computations on closed edges when the 
edges are not labelled and another minimal graph in which there does not exist 
any election algorithm using local computations on open star graphs if the edges 
cannot be labelled. 

Local Computations on Closed Edges 

Consider the graph G described in Figure 3 which is a minimal graph and 
therefore we can solve the election problem with local computations on closed 
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Vl V2 V3 V4 



A B A B 

Fig. 3. A graph in which we cannot find an election algorithm using local computations 
on closed edges without labelling edges. 
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Fig. 4. Application of a relabelling rule 




B 

Fig. 5. A graph in which we cannot find an election algorithm using local computations 
on open star graphs without labelling edges. 



edges. Consider a noetherian relabelling relation TZ associated to an algorithm 
involving local computations on closed edges such that there is not any rule that 
labels the edges. 

We prove by induction that there exist an execution of TZ such that the 
vertices V\ and (resp. V2 and V4) have the same labels. Initially, the result is 
true and if at a step i + 1 , a, rule R is applied, this rule has the following form: 



R 



A 
: o 



B 

o 



A' 



o 



B' 



o . 



As described in Figure 4, the rule R can be applied to the nodes v\ and V2 and 
then to the nodes V3 and V4: the property holds. 
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Local Computations on Open Star Graphs 

Consider the graph G described in Figure 5 which is a minimal graph and for 
which there exists an election algorithm using local computations on open star 
graphs. Suppose now that we can find an enumeration algorithm A using local 
computations on open star graphs such that the rules involved do not label the 
edges, i.e., the only label that changes in a relabelling step is the label of the 
center of the star graph involved. 

Each time a rule is applied to Vi or V2, the same rule can also be applied to 
the other one and each time a rule is applied to W3, f4 or V5, the same rule can be 
applied to the other ones. Therefore, we can find an execution of A such that the 
vertices vi and V2 (resp. V3,V4 and V5) have the same labels and consequently, 
we cannot find an election algorithm on G. 
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Abstract. We study decidability of a logic for describing processes with 
restricted names. We choose a minimal fragment of the Ambient Logic, 
but the techniques we present should apply to every logic which uses 
Cardelli and Gordon revelation and hiding operators, and Gabbay and 
Pitts freshness quantifier. We start from the static fragment of ambi- 
ent logic that Calcagno, Gardelli and Gordon proved to be decidable. 
We prove that the addition of a hiding quantifier makes the logic unde- 
cidable. Hiding can be decomposed as freshness plus revelation. Quite 
surprisingly, freshness alone is decidable, but revelation alone is not. 



1 Introduction 

The term Spatial Logics (SL) has been recently used to refer to logics equipped 
with the composition-separation operator A \ B. Spatial logics are emerging as 
an interesting tool to describe properties of several structures. Models for spatial 
logics include computational structures such as heaps [21,19], trees [7], trees with 
hidden names [9], graphs [8], concurrent objects [5], as well as process calculi 
such as the 7r-calculus [3,4] and the Ambient Galculus [11,13]. 

In all these structures, a notion of name restriction arises. The restriction 
(vn) P (in TT-calculus notation) of a name n in a structure P is a powerful 
abstraction mechanism that can be used to model information that is protected 
by the computational model, such as hidden encryption keys [1], the actual 
variable names in A-calculus, object identifiers in object calculi, and locations 
in a heap. Here “protected” means that no public name can ever clash with one 
that is protected, and that any observable behavior may depend on the equality 
between two names, but not on the actual value of a protected name. 

Reasoning about protected names is difficult because they are “anonymous” . 
Gardelli and Gordon suggest an elegant solution to this problem [12]. They 
adopt Gabbay and Pitts fresh name quantification, originally used for binder 
manipulation and Nominal Logics [20,16], and combine it with a new operator, 
revelation, which allows a public name to be used to denote a protected one. 
The combination of freshness quantification and revelation gives rise to a new 
quantifier, hidden name quantification, which can be used to describe properties 
of restricted names in a natural way. 
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In [6] decidability of validity and model-checking of a spatial logic describ- 
ing trees without restricted names is studied. This logic is the quantifier- free 
static fragment of the Ambient Logic. Extensions of this logic can be used to 
describe [7], query [10], and reason about [15] tree-shaped semistructured data. 

In this paper we study decidability of validity, satisfiability, and model- 
checking for spatial logics describing trees (or static ambients) with restricted 
names (throughout the paper, “decidability of a logic” is used for “decidability 
of validity and satisfiability for closed formulas of that logic” ) . 

In particular we study how the introduction of freshness, revelation, and 
hiding influences decidability. While we started this work with the aim of proving 
decidability of hiding, we found out quite a different situation: 

— freshness without revelation gives a rich decidable logic (Corollary 4.7) 

— even a minimal logic (conjunction, negation, and binary relations) becomes 
undecidable if it is enriched with revelation (Corollary 5.13) or with hiding 
(Corollary 5.14). 

Another contribution is the study of quantifier extrusion in SL. We introduce 
an extrusion algorithm for freshness (Lemma 4.4), and we prove that no extrusion 
algorithm exists for first order quantifiers, revelation, and hiding (Corollary 4.8). 



2 The Tree Model 

We study logics that describe trees labeled with public and restricted names. 

Definition 2.1 The set 7)y of the abstract trees generated by an infinite name 
set Af is defined by the following grammar, with n&M . 

T,U ::= 0 empty tree \ n[T] tree branch \ 

T I U composition of trees \ {vn) T restricted name 

Free names fn{T) and bound names are defined as usual. On these trees we define 
the usual congruence rules, with extrusion of restricted names. (Renaming) is 
the crucial rule, expressing the computational irrelevance of restricted names. 



Table 2.1. Congruence rules 



1 

T = T 


(Refi) 


T=U=> n[T] = n[U] 


1 

(Amb) 


T = U,U = V^T=V (Trans) 


T = U ^T\V = U\V 


(Par) 


T = U ^ U = T 


(Symm) 


T = U ^ {vn) T = {vn) 


U (Res) 


T\0 = T 


(Par Zero) 


T\U = U\T 


(Par Comm) 


{T\U)\V = T\{U\V) 


(Par Assoc) 






m fn{T) ^ {vn) T = 


{vm) T{n<— m} 


(Renaming) 




{vn) 0 = 0 




(Extr Zero) 




n ^ fn{T) T \ {vn) U 


= {vn) {T\U) 


(Extr Par) 




ni n2^ ni[{vn2) T] 


= {vn 2 ) ni[T] 


(Extr Amb) 




(uni) {un2) T = {un2) (lyni) T 

1 


(Extr Res) 


1 
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Definition 2.2 The set of trees in extruded normal form (ENF) is the least set 
such that: (i) a tree with no restriction is in ENF, and (ii) if T is in ENF and 
n G fn{T) then {vn) T is in ENF. 

Hence, a tree is in ENF iff it is composed by a prefix of restrictions followed by 
a restriction-free matrix, all the restricted names actually appear in the tree, and 
all the restricted names are mutually different. We will use ENF to denote the 
set of all terms in ENF, and ENF{T) to denote the set {U : U € ENF, U = T}. 
In the full paper [17] we show that every term admits an equivalent one in ENF . 



3 The Logic 

We will study sublogics of the Ambient Logic without recursion and where no 
temporal operator appears. The logic is very rich, but we give here only a brief 
description for lack of space. For more details see [3,12,13]. 



Definition 3.1 The set A of the formulas of the full logic is defined by the 
grammar shown in Table 3.1 (we will consider some sub-logics later on), rj stands 
for either a name n€Af or a name variable x€X. In Table 3.1 we also define 
the satisfaction of a closed formula A by a model T (T \= A). We use nm{A) 
to denote the set of all names n that appear in a formula. 

Table 3.1. Spatial Logic formulas and satisfaction 

I 1 



0 


empty tree 






g[A] 


location 


A@g 


location adjunct 


A\B 


composition of trees 


At>B 


composition adjunct 


aab 


conjunction 


-.A 


negation 


3x.A 


existential quantification 


1/1®. A 


fresh quantification 


g®A 


revelation 


ASry 


revelation adjunct 



T 1= 0 
T (= n[A] 

T A@n 
T\=A\B 
T\=A>D 
T 1= A AR 
T 1= 

T\=\Ax.A 
T\=3x.A 
T \= n@A 
T 1= A0n 



A T = 0 

A 3U gTm.T = n[U] and U \= A 
A n[T] 1= A 

= 3Ti , Tb G Xv- T = T\ I Tb and Ti |= A and T 2 |= R 
A VR e XU. R A A implies T j R |= R 
A T\= A and T\=B 

A taa 

A ^ ifn{T) U nm(A)). T \= A{x-i—n} 

A 3n ^ N. T \= A{x^n} 

A 3U &Tm.T= {vn) R and R A A 
A {vn) T A A 



I I 

We will also use T,p \= A, where p is a ground substitution mapping fv{A) 
into Af, as an alternative notation for T A Ap, where Ap is the closed formula 
obtained by applying p to all of its free variables. 
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Notation 3.2 SL^y will denote the logic fragment without quantifiers, revela- 
tion and revelation adjunct. SLx will denote the extension of SLyy with the 
logical operators in X. Hence the full logic of Definition 3.1 is a,®} • 

We assume that 3a:, V\x and rj@ bind as far to the right as possible, so that, 
for example, 3a:. A A By. B is the same as 3a:. {A A By. B). We assume the usual 
definitions for: (i) the derived operators Ay B, T, F, ^x.A, tj ^ r]', A ^ B, 
A ^ B; (ii) free variables fv{A). It is worth emphasizing that revelation is not a 
binder, i.e. fv{r]@A) = fv{rf) \Jfv{A). fv{r]) is defined as {rj} when 77 is a variable 
X, and as 0 when 77 is a name n. 

We will also study the properties of the following derived operators: 



operator definition 
V\x. A = I/lx. x0yl 
©n = “'n@T 
n = m = (n[T])@m 



fundamental property (may he used as a definition) 

T 1= Ha;. .4 3n^ nm{A). 3U €Tjy. T={vn) U, T\=A{x<^n} 

T\=®n fn{T) 

T \= n = m ^ n = m 



In a nutshell, the structural operators 0, r][A], A \ B, allow one to explore the 
structure of the model, so that T |= n[(m[T] V p[0])] specifies that T matches 
either n[m[C/]] or n[p[0]]. The adjunct operators @, >, ®, describe how the model 
behaves when it is inserted into a context n[_] , C/| _ , or (jzn) _ . > is very expressive, 
since it can be used to reduce validity to model-checking (Table 3.2, line 3). Con- 
sider now a tree T = {up) m[p[0]] with a restricted name. This can be described 
by the formula n(R)TO[n[T]], which uses n to talk about the “anonymous” p\ 

{up) m[p[{)]] \= n@m[n[Y]\ {up) m,[p\f)]] = {vn) m,[n\f)]], m[n[0]] |= m[n[T]] 

However, the satisfaction of this formula depends upon the specific name n: 
T 1= n@n[T], literally means that T = {un)n\fJ] for some U, which is sat- 
isfied by any {up)p\U], unless n happens to be free in {up)p[U] (in this case, 
{up) p[U] ^ {un) n[U]). In many situations, we really want to say things like ‘T 
has a shape {ux) x[U]’ where no name should be prevented from matching x by 
the irrelevant fact that it appears free in T. To this aim, we must use a name 
that is guaranteed to be fresh, which can be obtained through Gabbay-Pitts 
fresh name quantification: !Ax.x@x\T]. The l/l-@ jargon is encoded by hiding 
quantification: l/lx. a;®a;[T] = \3x.x m. 

H may be taken as primitive instead of I/I and ®, but one would lose (in a 
logic without adjuncts) the ability to express the property © 77 . Hence, one would 
consider the pair H-© as an alternative to I/I-®. This motivated us to study the 
decidability properties of all these operators. The result is symmetric: each pair 
contains one operator (H/@) which is undecidable even when confined to a tiny 
sublogic, and an operator which we prove to be decidable (©/I/I); © and I/I are 
even decidable together. (We prefer the canonical choice of l/l-@ because we find 
their definitions more elegant, and since the encoding of the other two operators 
is very direct; the reverse encoding is much harder.) 

V\x. A is quite similar to an existential quantification over the names that are 
restricted in the model, but there are some subtleties. For example, two different 
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hiding-quantified variables cannot be bound to the same restricted name, i.e., 
while n[n[0]] |= 3x. 3y. x[y[0]], {m)n[n[0]\ ^ Hx. Hy. x[?/[0]]: after x is bound 
to n, n is not restricted any more, hence y cannot be bound to n. 

Hiding, freshness, appearance (©), and revelation can be used to express 
essential properties in any specialization of this logic to specific computational 
structures. We present here some examples in a very informal way, just to give 
the flavour of the applications of the hiding operator. 

When restricted names are used to represent pointers, the presence of a 
dangling pointer can be formalized as follows [9]; here .n[A] abbreviates n[A] | T, 
hence means: there is a branch n[U] that satisfies n\A3\. 

Hx. {.paper [.citing[x\\ A ~'.paper[.paperld[x\]) 

If restricted names represent passwords in a concurrent system (e.g. in [3]), 
we can specify properties like ‘inside k we find a password which will not be 
communicated’, with the following sentence, where ‘OH’ means ‘in some process 
deriving from the current process A holds’, and ^send{m,ny means ‘m is ready 
for transmission on a channel n’. 

Hx. .k[x] A -'3n. (}send{x, n) 

If restricted names represent a-renamable variable names, the following sen- 
tence describes any tree that represents a lambda term; yX.A is a recursive 
definition, where each occurrence of X can be expanded with the body A. It 
says: a lambda term is either a free variable, or an application, or a lambda 
binder that pairs an a-renamable name with a body, where that name may ap- 
pear free. The interplay between p, and H ensures that no variable appears twice 
in the same scope. 

pLT. (3x. var[x\) V {function[LT] \ argument[LT]) V (Her. lambda[x] \ body[LT]) 

We now define the standard notions of formula validity, satisfiability, of for- 
mula implication, and of formula equivalence for spatial logics. 

vld(H) H VTe7>. Vp : fv{A) Af. T, p 1= H (validity) 

sat(H) = 3T gTX- 3p : fv{A) — >■ A/”. T,p\= A (satisfiability) 

A\- B = yT(^Tu. Vp : {fv{A) Ufv{B)) AT. 

T, p 1= H T,p \— B ( implication ) 

A 3\- B = A\- B and B \- A (equivalence) 

Let VH denote Vxi . . .Vx„. A, where {x\ . . .Xn} = fv{A), and similarly for 3A. 
The following properties come from [12,6], or are easily derivable from there. 

Table 3.2. Properties of SL 

I 1 

(Implication) A\- B 4^ vld(H ^ B) A 31- B 4^ vld(H B) 

(Closure) vld(H) vld(VH) sat(H) 4=> sat(3H) 

(vld by 1=) vld(H) 0 |= T > VH 0 |= V(T > H) 

I I 

The last property shows how validity can be reduced to model-checking using c> 
and quantification, or just > alone, when the formula is closed [6]. 
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4 Decidable Sublogics 



In this section we prove decidability of and we extend the result to 

5'L{Q (g 1 / 1 } using an extrusion algorithm for freshness quantification. 

An extrusion algorithm for a set of logical operators O is an algorithm that 
transforms a formula into an equivalent formula in O-prenex form, i.e. into a 
formula formed by a prefix of operators from O followed by a matrix where they 
do not appear. In the following we will show that: (i) in a spatial logic with 
the > operator, extrusion implies decidability (Corollary 4.6); (ii) the freshness 
quantifier admits extrusion (Lemma 4.4), hence is decidable; (iii) undecidability 
of the revelation operator, existential quantifier, and hiding quantifier, implies 
that no extrusion algorithm can exist for them (Corollary 4.8). 



4.1 Quantifier-Free Decidable Sublogics 



We start from the following result presented in [6] . 

Theorem 4.1 (Calcagno- Car delli- Gordon). The model- checking, validity, 
and satisfiability problems for closed formulas in are decidable over trees 

with no restricted names. 

We now extend this result by adding restricted names to the models and the 
revelation adjunct (Asn) to the logic. 

Theorem 4.2 (Mo del- checking with Restricted Names in the Model 
and Revelation Adjunct in the Logic). The model- checking problem re- 
stricted to closed formulas in S'L{®} is decidable over all trees (i.e., including 
trees with restricted names). 

Proof. (Sketch, see [17]) We follow the schema of [6], and define an equivalence 
relation ^h,w,N {N is a set of names), an algorithm to enumerate a witness 
jj(h,w,N) 0 ach equivalence class of ^h,w,N, and a size |A| for each formula A. 
If |i?| = {h,w, N), we show that model-checking T \= At> B can be reduced to 
checking that, for each U G ^ U'^A^U\T\=B. 

In the full paper [17] we show that ©r; can be encoded in S'L}®} making use 
of (cf^rj = (t7[0] [> ((-'(-'0 j ->0))Qrj))@m. Hence we have the following corollary. 



Corollary 4.3 (Adding ©). The model-checking problem for closed formulas 
in is decidable over all trees (i.e., including trees with restricted names). 
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4.2 Quantifier Extrusion 

We start our discussion of extrusion on a familiar ground, by listing, in Table 4.1, 
some logical equivalences that can be used to extrude universal and existential 
quantifiers from some of the other operators. The first four are the usual First 
Order Logic (FOL) rules. 



Table 4.1. Extrusion of existential quantifier 



xifv{B) 


(V®. A)aB-\\- yx. {A A B) 


(V-A) 


(3x.4) AB Hh 3x. (4AB) 


(3-A) 




-<{yx. A) 


HI- 3x. (^4) 


(V-) 


-■(3x. A) 


Hh Vx. (^4) 


(3-) 


yAv 


??[Vy.T] 


HI- yy. (7 j[A]) 


(V-D) 


ri[3y. 4] 


Hh 3y. (??[4]) 


(3-D) 


xifv{B) 


(V®. A) 1 B 


h Vx. (4|B) 


(V-l h) 


(3x.4)|B 


Hh 3x. (4|B) 


(3-1) 


vAx 


\Ax. y-y. A 


h yy. (I/lx. A) 


(V-ld h) 


I/lx. 3y. A 


H 3y.{\Ax.A) 


(3-M H) 




m@yy. A 


h yy. {m@A) 


(V-© h) 


m@3y. A 


@ 

m 

_L 

T 


(3-©) 


xifv(B) 


(Vx. T) 0 B 


H 3x. (HoB) 


(V->H) 


A 

H 

m 


A 

H 

> 

_L 

T 


(3->0 


x^fv(A) 


A > (Vx. B) 


Hh Vx. (ToB) 


(V-> r) 


4>(3x.B) 


A 

H 

m 

T 


T 

A 

m 


y^v 


{yy. A)@ri 


Hh yy. {A@y) 


(V-@) 


{3y. A)@ri 


Hh 3y. {A@y) 


(3-@) 


yAv 

1 


{yy. 4)Sr? 


Hh yy. (HSr?) 


(V-S) 


{3y. A)Qr] 


Hh 3y. (4s?7) 


(3-S) 

1 



If all the rules were double implications (HF), we could use them to extrude 
the existential quantifier in any formula. However, the presence of some single 
implications prevents their direct use for this aim. Each simple implication we 
write is actually strict, i.e. whenever we write A\- B in the table above we also 
mean that B \- A has a counterexample (see the full paper [17]). 

The table above shows that V-3 extrusion is not trivial, but it does not prove 
it to be impossible (for example, simple double-implication rules for 3-1/1 and V-l/l 
do exist); the actual impossibility proof will come later. Similar rules, riddled 
with single implications, govern the extrusion of hiding quantifiers and of @. In 
this case as well, we will show later that they cannot be adjusted. 

The situation looks very similar for the freshness quantifier (Table 4.2), apart 
from the fact that, thanks to its self-duality, we only need half of the rules. 



Table 4.2. Extrusion of freshness quantifier 



xifv{B) 


(I4x.4) AB 


Hh 


Idx. (4AB) 


(M-A) 




^(ldx.4) 


Hh 


I/lx. (-'4) 


(W-) 


yAv 


rj[\Ay.A] 


Hh 


\Ay. {y[A]) 


(w-D) 


xifv{B) 


(l4x.4)|B 


Hh 


Idx. (4|B) 


(M-l) 


yAx 


3x. V\y. A 


h 


\Ay.{3x.A) 


(M-3 h) 


yAv 


ri@V\y. A 


Hh 


V\y. iv®A) 


(M-©) 


xifv{B) 


(l/lx.4)i>B 


H 


I/lx. (4>B) 


(l/l-ol H) 


xifv{A) 


4>(l/lx.B) 


H 


I/lx. (4>B) 


(l/l-i>r H) 


yAv 


{V\y. A)@t/ 


Hh 


I/ll/. (A@rj) 


(M-@) 


yAv 

1 


(l/ly. A)Qt/ 


Hh 


I/ll/. (4s?/) 


(l/l-S) 

1 



Once more, all the single implications are strict (see the full paper [17]). 
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However, the three single-implication rules admit a double-implication ver- 
sion, as shown in the Table 4.3. 

Table 4.3. Extrusion of freshness quantifier - part two 

I 1 

x^y 3x.\Ay.A Hh \/\y.{3x. A /\x ^ y) (14-3) 

yifv{B) i\Ay.A)>B Hh V\y . {{-^®y /\ A) > B) (l/l-ol) 

y^fv{A) At>{\Ay.B) Hh \Ay . {®@y A A) > B) (I/I- or) 

I I 

The last two rules are bizarre: regardless of which side (of o) I/I is extruded 
from, y must always be excluded from the left hand side. In the full paper we 
prove the correctness of all the extrusion rules. 

Lemma 4.4 (Extrusion of freshness). There is an algorithm to transform 
any formula in the full logic into an equivalent formula in \A-prenex form. 

Proof. The algorithm exhaustively applies the double-implication rules of Ta- 
bles 4.2 and 4.3, left to right, until possible. Termination is easy. 

We now use this result to prove decidability of the freshness quantifier. 



4.3 Decidable Sublogics with Quantifiers and Impossibility of 
Extrusion 

We first observe that model- checking is decidable for prenex logics; of course, this 
is not true, in general, for validity, or for model-checking non-prenex formulas. 

Theorem 4.5 (Decidability of Prenex Model-Checking). Model- checking 
over all trees is decidable for the closed formulas F generated by the following 
grammar (3, H, 0, I/I : outermost only; ©, ® : unlimited) : 

F ::= 3cc. F \ x®F \ Hx. F \ \Ax. F \ ^F \ A 
A ::= 0 I rj[A\ \ A \ A \ A A A \ —•A \ ©77 | H H | A@rj \ AQig 

Proof (Sketch, see [17]) By induction on the size of F and by cases. Case -•F is 
trivial. Case A is Corollary 4.3. To model-check T ^ 3x. F, check T ^ F{x-^n} 
for nG ifn{T) U nm{F) U {m}), where m is fresh. To model-check T \= n®F, 
transform T in ENF (vni) . . . (nuk) U and check that n ^ fn{T) and that either 
T ^ F or 3i. {vni) . . . {vni-i) (i^rii+i) . . . {vut) U {ni<—n} \= F. T \= Hx. F is 
similar. To model-check T ^ V\x. F, choose a name n ^ fn{T) U nm{F) and 
model-check T \= F{x-<^n}. 

Theorem 4.5 has the following Corollary. 

Corollary 4.6 (Extrusion implies Decidability). The existence of an ex- 
trusion algorithm, i.e. an algorithm that transforms every formula into an equiv- 
alent formula generated by the grammar of Theorem 4.5, for any sublogic L of 
Q H containing implies the decidability of L. 
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Proof. To decide vld(yl) for a closed formula A, reduce it to 0 |= T c> A, apply 
the extrusion algorithm, and use the algorithm of Theorem 4.5. 

As a consequence, the addition of freshness preserves the decidability of the 
logic of Corollary 4.3. 

Corollary 4.7 (Decidability of Fresh Quantifiers). Model- checking and va- 
lidity for the closed formulas in are decidable over all trees. 

To sum up, fresh quantification alone is not enough to lose decidability, even 
if combined with a limited form of revelation (© 77 ). 

The proof is based on the possibility of extruding freshness quantifiers 
through all operators, including negation and the parallel adjunct operator that 
internalizes validity in the logic. This reveals a deep algebraic difference between 
freshness and existential quantification, where such extrusion is not possible. We 
now formalize this fact. 

By undecidability of *S'T{ 3 } (follows from [14]), of (follows from Corol- 

lary 5.13), and of S'T{h} (follows from Corollary 5.14), the three logics of Corol- 
lary 4.6 are all undecidable. Hence, we have the following Corollary. 

Corollary 4.8 (No Extrusion). No extrusion algorithm (as defined in Corol- 
lary 4-6) exists for SLx if X includes {3},{@}, or {H}. 

5 Undecidability Results 

5.1 Standard Model 

In this section we focus on a tiny sublogic of SL that contains the revelation 
operator and show that for each formula A of that sublogic, when a tree T 
satisfies A, there exists a cut-down version of T that satisfies the same formula. 
This is a key technical tool in order to prove (later) that the decidability of this 
tiny logic is already as hard as decidability of first order logic. 

Notation 5.1 (Path-Formulas) A path-formula p is a formula denoting the 
existence of a path of edges, starting from the root and leading to a leaf, as follows 
(we only define path formulas of length one and two, since we need no more). 

■V = V[0]\T .??'.77 = ? 7 '[??[ 0 ] |T] |T 

When a tree satisfies .m.n we say that it “contains a path m.n”; the path 
ends with a leaf. The minimal tree containing such path, m[n[Oj] (which we also 
write m[nj), is called a “line for the path m.n”, and similarly m[0] (abbreviated 
as m) is a line for m. 

We now introduce a notion of path cutting. Intuitively, the tree Cutx{T) 
contains one line for each of those paths m.n of T such that m and n are either 
bound or in N (longer paths, and paths with free names not in N, are cut 
away). By this construction, for any formula A with shape .ni.n 2 , ni@.n 2 .n^, 
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ni©n 2 ©.n 3 .n 4 (where rii may be equal to nj), Cutnm{A){T) is A-equivalent 
to T, i.e. Cut„rn(A)(T) \= A lE T \= A. Moreover, Cut]\[{T) contains a list 
ni[0] I ... |rij[0], where = /n(T) so that the validity of formulas 

n@T, for n G N, is preserved as well. In other words, we cut away long paths 
and paths with free names not in N, and we rewrite trees like “n[m |p]” as lines 
“n[m] I n[p] | n\m\p”. 

We will prove that this cut-down structure is logically equivalent to the origi- 
nal tree, with respect to those formulas that only contain path-formulas of length 
2 and names that are in N (Theorem 5.4). 

Before giving the formal definition, we give some examples. Cutting is only 
defined up-to-congruence. 



flattening „j}(n[m | n]) =n[m]|n[n] \ n\m 

cutting long paths Cut^n,m}{'>T'[m[n\]) = n\m 

cutting w.r.t. more names Cut^n,m,p}{'>T'[m\n\) = n[m]|n[n] | n\m 

deleting free names C'Mt{„}(n[m | n]) = n[n] \ n 

preserving bound names CutinyYi^rn) n[rn\n]) = (vm) n[rn\\n[n\ \ n\ 

name clashes don’t matter Cut{n,m}{{vrn) n[m\n])= (i^m) n[m]|n[n] | n| 

preserving the name m Cut \ m[p\) = n[n] \ n|m 



m 

m 



We first define an auxiliary partial function enfCutj^(T), that is only defined 
on trees in ENF. enfCutjq{T) behaves as CutM{T) in all the examples above. 
Then we define Cutiq{T) by closing enfCutj^{T) with respect to tree equivalence. 



Definition 5.2 (Path cutting for ENF). For each tree in ENF, for each 
set of names N, we define the operation enfCutp^f) as follows. Par{T : cond} 
combines (using \) all instances {T)a of T such that {cond)a is satisfied. 



enfCut ]^{{vm) T) 

= {vm) en/CMt^u{m}(C^) 

enfCut]^{U) (where U contains no {vn) A' subterm) 

= Par{ni[ri2[0]] : ^ .ni.ri 2 , {ni,U 2 } C N} \ Par{n[0] : n £ (fn{U) (1 N)} 



Definition 5.3. CutniT) = {enfCutj.^{U):U&ENF{T)} 

In the full paper [17] we prove that CutN{) preserves congruence, i.e. that T = 
T' AU G Cut^{T) AU' G Cut]s[{T') U = U'. Hence, Cut]^{T) only contains 
one tree modulo equivalence, and we will abuse notation by using CutN{T) to 
denote that tree. 

Theorem 5.4 (Standard Model). Let A be a closed formula generated by the 
following grammar: 



then: 



A ::= .rji.ri2 \ A A A \ rj@A \ V\x. A \ ~^A 

T \= A GA- Cutnm(A){T) \= A. 
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Proof. For the (=i>) direction we prove, by induction on the size of A, the fol- 
lowing stronger property: VN finite. T \= A ^ C!utnm(A)uT<s{T) ^ A, for an 
equivalent logic without negation, but with De Morgan duals for each operator 
(see [17]). The other direction is easily derived by contradiction and definition 
of negation. 



5.2 Undecidability of Revelation 

Since we are studying undecidability, we focus here on weak versions of the logic. 
We will prove undecidability for a logic with just A, -i, and path formulas. 
The undecidability of any richer logic follows immediately. 

We are going to define a translation of FOL formulas into SL formulas, and 
FOL structures into SL trees, in order to reduce SL satisfiability to FOL satis- 
fiability over a finite domain, which is known to be undecidable. 

We first define our specific flavour of FOL. We consider formulas over a 
vocabulary which only consists of a binary relation R, i.e. formulas generated 
by the following grammar (this logic is already undecidable [2]): 

4> ::= 3x.(j) \ (fAip \ -i(j) \ R{x,x') 



We define satisfaction of a closed formula, over an interpretation consisting of 
a domain T> and a binary relation TZ over T>, with respect to a variable assignment 
a with afA fv{4>) (where ff is the domain of a function /) as follows. 



2?, TZ, a ^ 3x. (j) ^def 

T>, TZ, a \= (j) A Ip ^def 

T>,TZ,a \= -><p ^def 

T>,TZ,a \= R{x, x') <t^def 



exists cGV. 'D,TZ,a{x^c} \= (p 
V,TZ,a \= (p and T>,TZ,a \= ip 
not {V, TZ,(j \= (p) 

(a(x),a(x')) € TZ 



Essentially, we will translate a model T>,TZ into an ENF term (izn^) \D\ \ |77.], 
with one name rii for each element of T>, with TZ encoded as set of lines of length 
two, and T> encoded as a set of lines of length one, obtaining structures that 
have the same shape as the cut-down trees introduced in Section 5.1. 

In the formula, we will translate 3 into 0 and R{x, y) into .m.n. To translate 
3 into 0, we have to overcome some differences between the two operators. The 
most important difference is the fact that 3 is a binder while 0 is not. In FOL 
semantics, we associate each variable x that is bound in a formula 3x.(p with 
a value c that is “free” in the domain. In the SL translation this becomes an 
association between a name m that is free in a formula m@A and a name rii 
that is bound in the model {vui) T. So, while in FOL we match variables in the 
formula with values in the domain, in the SL translation we will match bound 
names in the model with the free names used to reveal them in the formula. 

Technically, we translate a FOL closed formula (p into a formula |</)] , where 
all the closed variables of (p are left open, and a ground substitution such 

that (|(?i'[)^iD fv{(p), so that |<('] (jijil)^ is closed. We then reduce satisfiability of (p 
to satisfiability of (a variant of) (</>[) ^. 
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A second difference is the fact that the same value can be bound to two 
different FOL variables, while the same restricted name cannot be revealed twice, 
hence, {(c, c)} ^ 3xi. 3x2- R{xi,X 2 ) but {iyn)n[n[0]] ^ ni(R)n 2 (R).ni.n 2 . 

We solve this problem by translating 3x\. 3x2- 4> as if it were 

3xi. {{3x2 4^ xx- 4>) V 4>{x2-<^xi}), i.e. as: xi® ((a; 2 ® M) V |</>{a; 2 ^xi}]). 

To this aim, in the translation algorithm a parameter Y keeps track of the 
quantified variables met during the translation. The first line of Table 5.1 defines 
how Y is grown with each quantification, and how it is used to generate a 
disjunction of \(j){x 2 ^xi}\^ clauses. 

Finally, while x in 3x. (j) can only be associated to an element that is in the 
domain, n in n@A can also be associated to a name that does not appear in 
the model at all (since, for each n ^ fv{T), T = {vn) T). We solve this problem 
by translating 3x. <f> as x®(|((<] A .x) and by restricting our attention to models 
where, for every name n in a term, a line n[0] is present. We use our results on 
tree-cutting to show that this restriction is without loss of generality. 

Notation 5.5 We write M : M ^ N to specify that M is partial and injective 
from M to N, and M : M ^ N to specify that M is total and injective from M 
to N. For any partial function fV : M ^ N, we will use Nf to denote its actual 
domain and N\ to denote its actual range, i.e.: 

Nf = {to : 3nGN. N{m) = n} Nf= {n : 3toGM. N{m) = n} 

When M,N we use M (B N to denote function extension, as follows: 

{M © N){x) = if xGNf then N{x) else M{x) 

Hence, M © {c<—n} yields n on c and coincides with M elsewhere. 

Notation 5.6 {ui^im) T = {uni.f) . . .{vm^) T with I = {ii, . . . ,ij}, n:I “ Af. 

We can finally define our translation. We map an FOL formula to an SL 
formula, an interpretation 'D,TZtoa tree fD, 7^]^’^, and a variable assignment to 
a ground substitution. The translation is parametrized on a couple of functions, 
M and N, with disjoint domains and ranges, such that M(BN (see Notation 5.5) 
injectively maps the whole T> into Af. In a nutshell, elements in Mf are mapped 
into names that are free in |2?,7?.]^’^, while Nf is mapped over bound names. 

Definition 5.7 (Formula translation). We define here a translation of FOL 
formulas, interpretations, and variable assignments, into SL formulas, interpre- 
tations, and variable assignments. Moreover, each FOL formula 4> is also mapped 
to a ground substitution, defined on all and only the bound variables in (j), which 
we assume to be mutually distinct. The translation is parametric with respect to 
a subset P o/ Af, and to a couple of functions M , N such that M (B N :T>™ Af. 
P is used to express freshness as “not belonging to P ”. Ln the first clause of the 
“formulas into substitutions” we do not specify how to' is chosen, but we will 
assume that the choice is deterministic, i.e. that (|<('|)^ is uniquely determined. 
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Table 5.1. Formula translation 

I 1 

formulas into formulas 

I3x.<fr = 

i4>Ai>r = 

[R(a;, = .x.x' 

formulas into substitutions 

p®. 01)*’ = d 0 |)*’ © {a:<— m'} c/ioose m' € Af \ (P U (]0|)*’t) 

d^A#*’ ^ d#^ ® 

dP(a;,P)|)*’ ^ 0 

interpretations, domains, and relations into trees 

[ 0 ]" = 0 

[{cjupr = M(c)[o]|[pr 

[{(c, c')} u 7^^ = M(c)[M(c')[0]] I [7^^ 
assignments into assignments 

la(B{x^c}j^ = H"“©{a:^M(c)} 

[ 0 ]" = 0 



Theorem 5.8. For any closed FOL formula 4> where all the free and hound 
variables are disjoint, for any N : T> ^ Af : 

P,7^h0 IV , h 

Proof. In [17] we prove by induction and by cases the more general property 
{V,TZ),a \= (j> lV,TZj^’^ \= under some hypotheses that 

essentially constrain cr to be a substitution mapping free variables of 0 (and 
those in Y) into M-elements (i.e. elements in Mf) without name-clashes with 
Nf and Af \ P. By choosing the empty function for M, the empty set for Y, 
P = Nf, and the empty assignment for a, we have that: 

h 0 IV , h [0f i0f (0r^ ^ Ip,7^f h [0f fl0r^ 

This is equivalent to the thesis as a consequence of the Gabbay-Pitts property. 

Corollary 5.9. For any closed FOL formula 0 where all the free and hound 
variables are disjoint SAT fol{4>) SATsl{14'1^(\4>\)^) 

Unfortunately, the inverse implication does not hold, because |0]®(|0[)® may 
be satisfied by SL models which are not the translation of any FOL model. 
Consider {3x. T) A -•{3y. T). It is clearly unsatisfiable, but it is translated (un- 
der Y = 0, M = 0) as m@(T A .to) A -in(g)(T A .n), which is satisfied by the 
model {vm') to'[ 0] j n[0], since the free occourrence of n prevents the model from 
satisfying n@(T A .n), while it satisfies to©(T A .to). 
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This fact does not contradict Theorem 5.8, since {vm') m'[0] \ n[0] is not the 
translation of any FOL model under M = <1), because has no free 

names. The fact that the model is not closed is actually the core of the problem. 
We solve this problem by enriching the mapping with a conjunct that rules some 
of the non-closed models out. 

Definition 5.10. |(/)]+ = A 

This new translation will ensure that any SL model of the translated formula 
is “closed enough”, i.e. all its free names are disjoint from the names in the 
formula. Now we use the cut operation and Theorem 5.4 to show that these 
“residual” free names are irrelevant, hence that every model of the enriched 
translation actually corresponds to a FOL model, finally reducing SAT sl to 

SAT POL- 

Lemma 5.11. Let T = CutN'{U) for some N', U; then: 

fn{T) = % ^ 3V,n,N.T =\V,nf^^ 



Theorem 5.12 (Reduction of FOL Satisfiability). For any closed FOL for- 
mula 4>, SATpol{ 4>) SAT sLinV) 

Proof (=J>) Let V,TZ be such that (21,7^), 0 ^ </>. By Theorem 5.8, 
satisfies |<(']®(|<?i'[)®. Since is closed, it also satisfies ->@m for any m. 

(<^=) Assume and let N = nm(|(/)]®(|^[)®). Then, there exists T 

such that T and T \= AmeAf i-®- > fn{T)r\N = 0. Consider now 

U = Cutpi{T). By Theorem 5.4: U ^ by fn{T) O iV = 0: fn{U) = 0, 

and by Lemma 5.11, U is the translation of a FOL interpretation VjTZ. By 
Theorem 5.8, T>^TZ\= <f>; hence SAT pol{4>)- 



Corollary 5.13 (Undecidability of revelation). Satisfiability (hence valid- 
ity) of closed formulas built from n@A, A/\A, ->A, .n, .ni.n 2 , is not decidable. 



5.3 Undecidability of Hiding Quantification 

In the full paper [17] we prove undecidability of hiding quantification in a similar 
way. The translation is simpler since we do not need the (|()'[)^ substitution any 
more. The key difference is the fact that an existential quantification is directly 
translated as a closed formula: 

[3x. A H:r. A .x) V V,ev 

By reasoning as in Section 5.2, we prove the following Corollary. 

Corollary 5.14 (Undecidability of Hiding). Satisfiability (hence validity) 
of closed formulas built from Ha;. A, A A A, -<A, .xi, and .X 1 .X 2 , is not decidable. 
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6 Conclusions and Related Work 



In SL hiding can be expressed as freshness plus revelation. The main result of this 
paper is: freshness without revelation gives a rich decidable logic (Corollary 4.7) 
while revelation makes a minimal logic undecidable (Corollary 5.13). We also 
proved that hiding is undecidable, and some results about extrusion that we 
summarize below. 

The decidability result is based on the extrusion of freshness into a prenex 
form. The proof of decidability by extrusion is very attractive because it does not 
need combinatorial explorations of the model, but is based on the “algebraic” 
properties of the logic, and is robust with respect to variations on the logic itself. 

The undecidable logic is obtained by adding revelation to a minimal logic of 
propositional connectives and simple path formulas, hence we show that unde- 
cidability comes from revelation and not from the spatial nature of SL. Unde- 
cidability of any richer logic follows immediately. 

We summarize decidability and extrusion results for spatial logics in the 
following table. Detailed proofs of our results are shown in [17]. 



r 



L 



Table 6.1. A summary of decidability /extrusion results 



Logic Decidable? 

S'L{} Yes, proved in [6] 

S'Lii/i q Yes, proved in Corollary 4.7 
Sl/fg} No, follows from [14] 

SL{@} No, follows from Corollary 5.13 
hJo, follows from Corollary 5.14 



Operator Extrusion algorithm 
I/I Yes, see Table 4.2 and [18] 
® No, by Corollary 4.8 

H No, by Corollary 4.8 

3 No, by Corollary 4.8 



T 



j 



An extrusion algorithm for the freshness quantifier in is used in [18] 

by Lozes to prove a surprising adjunct elimination theorem for @ 

The result is surprising in view of the fact that the parallel-adjunct seems 
to be extremely expressive, being able to quantify over infinite sets of trees, and 
of internalizing validity into model-checking. Lozes leaves the open problem of 
the existence of an effective adjunct-elimination procedure. As a corollary of our 
undecidability results, we can close that problem. 

Corollary 6.1. No effective adjunct- elimination procedure exists for >S'L{^.®,S)} . 

Proof. An effective adjunct-elimination procedure would reduce model-checking 
of @ which we proved to be undecidable, to model-checking the same 
logic without adjuncts, which is decidable. 

A calculus to manipulate trees with hidden names has been presented in [9], 
whose type system includes the full SL. Hence, type inclusion in that calculus 
and validity in SL are mutually reducible. Decidability of subtype-checking was 
left as an open problem in [9]. Our results imply that it is undecidable. 



Acknowledgments. We would like to thank Luis Caires, Cristiano Calcagno, 
Luca Cardelli, Dario Colazzo, and Philippa Gardner, for suggestions and discus- 
sions which influenced this work in many ways. 






120 



G. Conforti and G. Ghelli 



References 

1. M. Abadi and A. D. Gordon. A calculus for cryptographic protocols: The spi 
calculus. Information and Computation, 148(l):l-70, 10 January 1999. 

2. Egon Borger, Erich Gradel, and Yuri Gurevich. The Classical Decision Problem. 
Springer- Verlag, 1997. 

3. L. Caires and L. Cardelli. A spatial logic for concurrency (Part I). In Proc. of 
Theoretical Aspects of Computer Software; fth International Symposium, TACS 
2001, volume 2215 of LNCS, pages 1-37. Springer- Verlag, 2001. 

4. L. Caires and L. Cardelli. A spatial logic for concurrency (Part II). In Proc. of 
CONCUR’02, volume 2421 of LNCS, page 209. Springer- Verlag, 2002. 

5. L. Caires and L.Monteiro. Verifiable and executable logic specihcations of con- 
current objects in In Proc. of the 7th European Symposium on Programming 
(ESOP’98), volume 1381 of LNCS, pages 42-56. Springer- Verlag, 1998. 

6. C. Calcagno, L. Cardelli, and A. D. Gordon. Deciding validity in a spatial logic for 
trees. In Proc. of ACM SIGPLAN Workshop on Types in Language Design and 
Implementation (TLDI’03), 2003. 

7. L. Cardelli. Describing semistructured data. SIGMOD Record, Database Principles 
Column, 30(4), 2001. 

8. L. Cardelli, P. Gardner, and G. Ghelli. A spatial logic for querying graphs. In 
Proc. of ICALP, volume 2380 of LNCS, page 597. Springer- Verlag, 2002. 

9. L. Cardelli, P. Gardner, and G. Ghelli. Manipulating trees with hidden labels. In 
Proc. of FOSSACS ’03, volume 2620 of LNCS, pages 216-232. Springer- Verlag, 
2003. 

10. L. Cardelli and G. Ghelli. A query language based on the ambient logic. In Proc. 
of European Symposium on Programming (ESOP), Genova, Italy, volume 2028 of 
LNCS, pages 1-22. Springer- Verlag, 2001. 

11. L. Cardelli and A. D. Gordon. Anytime, anywhere: Modal logics for mobile ambi- 
ents. In Proc. of POPL. ACM Press, 2000. 

12. L. Cardelli and A. D. Gordon. Logical properties of name restriction. In Proc. of 
TCLA’Ol, volume 2044 of LNCS, pages 46-60. Springer, 2001. 

13. L. Cardelli and A. D. Gordon. Ambient logic. Submitted for publication, available 
from the authors, 2002. 

14. W. Charatonik and J.M. Talbot. The decidability of model checking mobile ambi- 
ents. In CSL: 15th Workshop on Computer Science Logic, volume 2142 of LNCS, 
page 339, 2001. 

15. G. Conforti and G. Ghelli. Spatial logics to reason about semistructured data. In 
Proc. of SEBD’03. Rubettino Editore, 2003. 

16. M. Gabbay and A.M. Pitts. A new approach to abstract syntax involving binders. 
In Proc. of LICS’99, pages 214-224. IEEE Computer Society Press, 1999. 

17. G. Ghelli and G. Conforti. Decidability of freshness, undecidability of revelation. 
Technical Report TR-03-11. Dipartimento di Informatica, Universita di Pisa, 2003. 

18. E. Lozes. Adjuncts elimination in the static ambient logic. In Proc. of EX- 
PRESS’03, 2003. To appear. 

19. Peter O’Hearn, John C. Reynolds, and Hongseok Yang. Local reasoning about 
programs that alter data structures. In In Proc. of CSL, volume 2142 of LNCS, 
pages 1-19. Springer- Verlag, 2001. 

20. A. M. Pitts. Nominal logic: A first order theory of names and binding. In Proc. of 
TACS 2001, volume 2215 of LNCS, pages 219-242. Springer- Verlag, 2001. 

21. John C. Reynolds. Separation logic: A logic for shared mutable data structures. 
In Proc. LICS’02, pages 55-74. IEEE Computer Society, 2002. 




LTL over Integer Periodicity Constraints 

(Extended Abstract) 



Stephane Demri 

LSV/CNRS UMR 8643 & INRIA Futurs projet SECSI & ENS Cachan 
61, av. Pdt. Wilson, 94235 Cachan Cedex, France 
demriSlsv . ens-cachan . f r 



Abstract. Periodicity constraints are present in many logical for- 
malisms, in fragments of Presburger LTL, in calendar logics, and in log- 
ics for access control, to quote a few examples. We introduce the logic 
PLTL™°‘^, an extension of Linear-Time Temporal Logic LTL with past- 
time operators whose atomic formulae are defined from a first-order con- 
straint language dealing with periodicity. The underlying constraint lan- 
guage is a fragment of Presburger arithmetic shown to admit a pspace- 
complete satisfiability problem and we establish that PLTL“°‘^ model- 
checking and satisfiability problems are in pspace as plain LTL. The logic 
PLTL™°‘^ is a quite rich and concise language to express periodicity con- 
straints. We show that adding logical quantification to PLTL™°‘* provides 
EXPSPACE-hard problems. As another application, we establish that the 
equivalence problem for extended single-string automata, known to ex- 
press the equality of time granularities, is PSPACE-complete. The paper 
concludes by presenting a bunch of open problems related to fragments 
of Presburger LTL. 



1 Introduction 

Presburger Constraints. Presburger constraints are present in many logical for- 
malisms including extensions of Linear-Time Logic LTL, see e.g. [AH94,Cer94] 
(and also [BEH95,CC00,BC02,DD02]). Formalisms with such constraints are also 
known to be well-suited for the specification and verification of infinite-state sys- 
tems, see e.g. [BH99,WB00,FL02]. 

In the paper, we are interested in models of Presburger LTL that are ut- 
sequences of valuations for a given set VAR of integer variables taking their 
values in Z and the atomic formulae are Presburger arithmetic constraints with 
free variables in VAR. For instance, 4> = n(Xx = x) states that the value of the 
variable x is constant over the time line where Xa; denotes the value of x at the 
next state. A model of </> is simply an w-sequence in (Z)“. The counterpart of the 
high expressive power of Presburger LTL rests on its undecidability, shown by 
a standard encoding of the halting problem for two-counter machines. However, 
to regain decidability one can either restrict the underlying constraint language, 
see e.g. [AH94, Sect. 3] and [DD02], or restrict the logical language, see e.g. a 
decidable flat fragment of Presburger LTL in [CCOO] . Herein, we shall consider 
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versions of LTL with Presburger constraints with the full logical language (mainly 
LTL with past-time operators sometimes augmented with first-order quantifiers) 
but with strict fragments of Presburger arithmetic. 

Our motivation. Integer periodicity constraints, a special class of Presburger 
constraints, have found applications in many logical formalisms such as DAT- 
ALOG with integer periodicity constraints [TC98], logical formalisms dealing 
with calendars, see e.g. [Ohl94,Wij00,CFP02], temporal reasoning in database 
access control [BBFS96,BBFS98], and reasoning about periodic time in general- 
ized databases, see e.g. [NS92]. In view of the ubiquity of such constraints, the 
main motivation of the current work is to design a variant of LTL over a language 
for integer periodicity constraints that satisfies the following nice properties. 

— The logical language contains at least LTL (no flatness restriction). 

~ The constraint language is expressive enough to capture most integer peri- 
odicity constraints used in calendar logics and in database access control. 
For instance, in [CFP02], the authors advocate the need to design an ex- 
tension of LTL that expresses quantitative temporal requirements, such as 
periodicity constraints. We provide in the paper such an extension. 

— Model-checking and satisfiability remain in pspace and possibly to adapt 
the technique with Biichi automata [VW94] to this new extension of LTL. 

Last but not least, as a long-term project, we wish to understand what are 
the decidable fragments of Presburger LTL by restricting the constraint language 
but with the full logical language. 

Our contribution. We introduce a decidable fragment of Presburger LTL that 
satisfies the above-mentioned requirements. Let us be a bit more precise. 

1. We introduce a first-order theory of integer periodicity constraints IPC’*’^ 
and we show its PSPACE-completeness (Sects. 2 and 3). This is a fragment 
of Presburger arithmetic that extends the one from [TC98]. 

2. We show the PSPACE-completeness of PLTL (LTL with past-time operators) 
over IPC^’*’ (logic denoted by PLTL™°'^ in the paper) by using Biichi au- 
tomata (Sect. 4) in the line of [VW94]. 

3. We prove that adding the existential operator 3 at the logical level (3 is 
already present at the constraint level) may lead to an exponential blow- 
up of the complexity (Sect. 5). We show that PLTL(IPC^), a fragment of 
PLTL™”*^, augmented with 3 has a satisfiability problem in expspace and 
PLTL™”*^ augmented with 3 is EXPSPACE-hard. 

4. As an application, we show the PSPACE-completeness of the equivalence prob- 
lem for the extended single-string automata improving the complexity bound 
from [LMOl, Sect. 5] (Sect. 6). Extended single-string automata are Biichi 
automata that recognize exactly one w-word and guards involving period- 
icity constraints are present on the transitions. This formalism has been 
introduced as a concise means to define time granularities and the equiv- 
alence problem for such automata is central to check the equality of time 
granularities, see also [WijOO]. 

Because of lack of space, the proofs are omitted and can be found in [Dem03] . 
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2 PLTL over Periodicity Constraints 

2.1 Constraint Languages 

Let VAR = {xq,xi, . . .} be a countably infinite set of variables. The constraint 
language IPC is defined by the grammar p ::= x =k y + c \ x =k c \ pAp \ ~<p, 
where fc, c G N. A simple periodicity constraint is a conjunction of constraints 
of the form either x =k y + c or x =k c. Given X C {3, [], <,=}, we define an 
extension of IPC, namely IPC^, by adding clauses to the definition of IPC: 

— if 3 G A, then the clause 3 a; p is added (existential quantification); 

— if [] G X, then the clause x =k y + [ci, C 2 ] with Ci, C 2 G N is added; 

~ if =G X, then the clause x = y with x,y £ VAR is added; 

— if <G X, then the clauses x < c \ x > c \ x = c with x G VAR and c G Z 
are added. 

In the sequel, IPC'’ denotes and IPC’*’^ denotes IPC^^’^^’^’“^, which 

is the richer constraint language considered in the paper. IPC'’^ is the extension 
of the language of the first-order theory of integer periodicity constraints intro- 
duced in [TC98] but with the inclusion of negation as in [BBFS96]. A semi-simple 
periodicity constraint is a conjunction between a simple periodicity constraint 
and a conjunction of atomic constraints of the form x ^ c with ~G {<, >,=}. 
The interpretation of the constraints is standard (v is a map v : VAR — >■ Z): 

— V \= X ^ c -O v(x) ~ c with ^G {<, >, =}; v \= x = y v{x) = v{y); 

— V \= X =k c v{x) is equal to c modulo k; 

— V \= x =k y + c ^ v(x) — v(y) is equal to c modulo k; 

— V 1= X =k y + [ci,C 2 ] -O v(x) — v(y) is equal to c modulo k for some 

Cl < C < C2; 

— V j= p A p' V \= P and v \= p'; v \= ~<p not v \= p; 

— V \= 3 x p there is c G Z s.t. v[x ^ c] |= p where v[x £- c\{x') = v{x') if 
x' yf X, and v[x A- c](a:) = c. 

Given p in IPC’*’^ with free variables xi, . . . ,Xk (in the order of enumeration 
of the variables), sol(p) denotes the set of fc-tuples (rii, . . . ,nk) G Z^ such that 
[xi ni, ... ,Xk £- rik] |= p. Given a constraint language L, the L-satisfiability 
problem is to decide given a constraint p G L whether sol(p) is non-empty. 
Without any loss of generality, we assume that p contains at least one free 
variable (otherwise consider (xi =1 0) Ap and xi does not occur in p) and in p 
a variable cannot occur both free and bounded. 

The expressive power of a constraint language L is measured by the set 
{sol(p) : p G L}. For instance, IPG^^’^^ is as expressive as IPG^ since x =k 
y+ [ci, C 2 ] is equivalent to Vci<c<c 2 ^ y + c. However, because all the natural 
numbers are encoded in binary, IPG^ may be more concise than IPG^^’^^. The 
introduction of the concise atomic constraints of the form x =k y + [ci,C 2 ] is 
motivated by the existence of such constraints in the calendar logic from [Ohl94] . 
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2.2 Definition of PLTL'"°'^ 

The atomic formulae of PLTL“°‘^ are expressions of the form p[xi ^ , ■ • ■ , 

Xk •<— where p is a constraint of IPC’’"^ with free variables x\, . . . ,Xk (in 

the order of enumeration of the variables) and p[xi <— . ,Xk-^ X'^’^Xj^] 

is obtained from p by replacing every occurrence of by Xj^ preceded by 
next symbols for 1 < tt < fc. For instance, the formula a: =2 0 A n(Xx =2 a; + 1) 
states that the value of x is even on states of even indices. Otherwise stated, 
the atomic formulae of PLTL“°‘^ are the constraints of IPC"'”'' except that the 
variables are of the form X^Xi. The formulae of PLTL“°‘^ are defined by the 
grammar (()::= p[xi ^ a;fc ^ | ->(j) \ (p A (p \ Xp \ pUp \ 

X^^p I pSp, where p belongs to IPC’*’^. As usual, X is the next-time operator, 
X^^ is the previous past-time operator, U is the until operator, and S is the 
since past-time operator. We write PLTL(L) to denote the variant of PLTL™°‘^ 
where the atomic formulae are built from the constraint language L: PLTL™°'^ is 
simply PLTL(IPC'’~''). We write LTL(L) to denote the restriction of PLTL(L) to 
the future-time operators X and U. We include past-time operators in the logic 
in order to capture the conciseness of LTL with past considered in [CFP02]. 
However, the addition of a finite amount of MSO-definable temporal operators 
still guarantees the (forthcoming) pspace upper bound thanks to [GK03]. 

A model a for PLTL™°'^ is an w-sequence of valuations of the form a : 
N X VAR — >■ Z. The satisfiability relation \= is inductively defined below: 

— a, i \= p[xi A- X*^Xjj , . . . ,Xk iff [xi ^ a{i + ii,XjJ , ... ,Xk ^ 

a{i + ik,Xj^)] |=p(for IPC++); 

— CT, i 1= (() A (()' iff cr, i 1= (/) and a,i \= p'; a,i \= ->p iff not a,i\= p] 

— a, i\= Xp iff cr, z -I- 1 1= ((); (T, t ^ X~^p iff z > 0 and ct, z — 1 \= p', 

— a, i\= p\}p' iff there is j > z s.t. ct, j |= p' and for every i < k < j , a,k \= p] 

— CT, z 1= pSp' iff there is 0 < j < z s.t. (J,j \= p' and for every j < k < i, 

a,k \= p. 

A very important aspect of PLTL™°'^ rests on the fact that the values of variables 
at different states can be compared. We use the standard abbreviations Op, . . . 
The satisfiability problem for PLTL™°‘^ is to decide given a formula p whether 
there is cr such that a,Q \= p. A few other remarks are in order. No propositional 
variables are part of PLTL™°‘^ but they can be easily simulated. Furthermore, 
we can simulate the access to past values of variables. For instance, X~^x = x 
can be translated into X“^X~^T A X~^X“^(a; = XP^x) assuming that if X~^x is 
undefined, then the atomic constraint is interpreted by false. When complexity 
issues are considered, all the integers are encoded in binary representation. 

PLTL™°‘^ is a quite rich and concise language to express periodicity con- 
straints. Formulae of PLTL™°‘^ encode calendars and slices from [NS92], and for- 
mulae of the form [t\P from [Ohl94] where [r]p is interpreted by “for every point 
of the interval r, the formula p holds” can be encoded by 0[t' => p). Here t' is a 
constraint in IPC^’*' encoding r. Unlike what is done in [Ohl94], no exponential- 
time reduction to propositional calculus (PC) is performed. PLTL“°‘^ allows 
more efficient reasoning than an expensive translation into PC (see details in 
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Sect. 4). Furthermore, we provide a quantitative version of LTL that meet the 
requirements from [CFP02] in order to deal with periodicity constraints. 

2.3 Model- Checking 

The languages of the form PLTL(L) are of course well-designed to perform 
model-checking of counter automata, similarly to what is done in [Cer94,DD03] . 
Given a constraint language L, a PLTL(L)-automaton is a Biichi automaton 

A over the alphabet of PLTL(L) formulas: transitions are of the form q q'. 
To each w-word w = (j)o4>i - ■ • accepted by A, we associate a model a which 
satisfies a,i \= 4>i for z > 0. Let 1{A) denote the set 1{A) = {ct : N x VAR — >• 
Z I dzu accepted by A such that cF,i \= w{i) for each z}. The model-checking 
problem for PLTL(L) is defined as follows: given a PLTL(L)-automaton A and 
a PLTL(L) formula (j), is there a ct G 1{A) such that a \= (f>? 

Theorem 1. The model- checking and satisfiability problems for PLTL™°'^ are 
inter-reducible with respect to logspace transformations. 

The proof is similar to the proof of [DD03, Theorem 8.3]. That is why in the 
sequel, only satisfiability problems are explicitly treated. 

3 First-Order Theory of Integer Periodicity Constraints 

Given p in IPG"'’''’ with free variables x\, . . . ,Xk, we shall construct a finite 
partition of lA such that (1) every region can be represented by a semi-simple 
periodicity constraint, and (2) for all fc-tuples z and z' in a given region of the 
partition, z G sol(p) iff z' G sol(p). In this way, we are able to finitely represent 
the set of solutions sol(p) and such a representation is easy to manipulate since 
it can be viewed as a disjunction of semi-simple periodicity constraints. This is 
actually a standard requirement when an infinite set of tuples has to be finitely 
abstracted, see e.g. the clock regions for timed automata in [AD94]. 

3.1 Quantifier Elimination 

Quantifier elimination (QE) is a known method to show decidability of logical 
theories, see e.g. [Pre29,KK67]. In this section, we establish such a property to 
prove the pspace upper bound of the IPG~'’^-satisfiability problem. Let p be a 
constraint in IPG"''’'’ such that 

— Cl < ... < c„ are the constants in p occurring in constraints of the form 
x ~ c with ~G {<, >, =}; we also fix cq = — oo and c„+i = -l-oo; 

— fci, . . . Au are the natural numbers occurring in constraints of the form x =k 

y-\-[di,d 2 ]', we fix K to be the least common multiple of 1, /ci, . . . , fc„, denoted 
by lcm{l, kij ■ ■ ■ Au)- K is in where jpj is the size of p for some 

reasonably succinct encoding. 
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Given p, we define an equivalence relation ~pC Z x Z as follows: z z' 
(1) for alH < j G {0, . . . , n + 1}, Ci < z < cj iff Ci < z' < Cj, and (2) for 
every I G {0, ... , K — 1}, z =k I iff z' =k I- Hence, the number of equivalence 
classes of is bounded by (n + 1) x K, that is in The idea behind 

the definition of is simply that z z' iff z and z' cannot be distinguished 
by constraints of IPC^ that use only ci, . . . , c„ and k\, . . . , For instance, it 
is easy to check that for every j G {!,... ,n}, {cj} is an equivalence class of 
~p. The relation ~p extended to tuples will not be a simple component-wise 
extension because of the presence equality in IPC’*’^. For A: > 1, we say that 
(zi, . . . , Zfc) = z' = (z'l, . . . , z^) iff for every i ,k}, Zi ~p z', and 

for all i, j G {1, . . . , k}, Zi = Zj iff z' = z'. If xi, . . . ,Xk are the free variables in 
p, we write z ^p z' instead of z ~p z'. The number of equivalence classes of ~p 
(on ^-tuples) is bounded by (n -I- 1) x iF x 2^^ . 

Lemma 1. Let p he a constraint in IPC"'”'' with k free variables and z, z' G Z^. 
z G sol(p) and z ~p z' imply z' G sol(p). 



The proof can be found in [Dem03] . Each equivalence class of ~p on Z can be 
represented by a triple (i, j, t) with t, j G {0, . . . , n -I- 1} and I G {0, . . . ,K — 1} 
such that (!) i < j < i -I- 1, (2) if i = j and Ci =k I then (i,j,l) represents 
the equivalence class {cj}, and (3) if j = f -I- 1, then (i,j,l) represents the 
equivalence class {z G Z : Ci < z < Cj+i, and z =k if this set is non empty. 
We introduce the map [•] : Z — >• {0, . . . , n-|-l}^x{0, . . . , K—1} such that [z] is the 
equivalence class of ~p containing z. For instance, if Ci =k 0, then [c,] = (i, f, 0). 
By extension, given Y a non-empty finite subset of N of cardinality k representing 
a set of variable indices, we introduce the map [-]^ : Z^ — >• ({0, ... ,n+ 1}^ x 
{0, . . . ,K-1})’^ X such that [(zi, . . . , Zk)]^ = (([zi], . . . , [zfc]), {(Ji, Jj) G 

: Zi = Zj}), where Y = { Ji, . . . , J^} and J\ < . . . < Jk-lip has free variables 
xi, . . . , Xfc, the finite set ({0, ... ,n+ 1}^ x {0, . . . ,K — 1})^ x V{{1 , . . . , fc}^) 
will represent the equivalence classes of ~p on fc-tuples. 

If p contains k free variables Xi,... ,x^, we write Dp to denote the domain 
({0, ... ,n + 1}^ X {0, . . . ,K — 1})* X V{{f, . . . , fc}^) and to denote the 
set ' ■ 2 G sol(p)}. The set Dp is indeed a finite abstraction 

of the infinite domain Z^ with respect to the constraint p and D^^^ is a finite 
representation of the possibly infinite set sol(p). In the sequel, we show how an 
element of D^^^ can be represented by a semi-simple periodicity constraint. 

To each {i,j, /) G {0, . . . , n-l- 1}^ x {0, . . . ,K —1}, and variable index a G N, 
we associate a semi-simple periodicity constraint IPC^((i, j, I), a) in IPC^<^ 
with free variable Xa defined as follows: 



IPC<((z,j,0,«) 



' Xa = Ci Hi = j, 

(Ci < Xa) A (Xa < Cj) 

, ^ . I if j = i -k 1, z yf 0, and j yf n -k 1, 

^ ^ Xa < Cl if i = 0 and j = 1, 

Cn < Xa if i = n and j = rz -I- 1, 
undefined otherwise. 

\ 
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We are now able to show that IPC'*”'' satisfies (QE) by appropriately extend- 
ing the map IPC^. To each {{ti , ... ,tk),X) G Dp we associate a semi-simple 
periodicity constraints IPC^'''(((ti, . . . ,tk),X)) defined by 

( /\ IPC<(ti,z)) A ( f\ Xi = Xj)A{ /\ -^{xi = Xj)). 

l<i<k {i,j)&X 

The following lemma (not difficult to show) makes explicit the relationship be- 
tween the constraints generated by the map IPC^~'’(-) and the map - 

Lemma 2. For all {zi, . . . , Zk) G and u G Dp, we have [xi Z\, . . . ,Xk A- 
Zk\ h IPC++(u) iff [{zi , = u. 



Theorem 2. IPC"'”'’ admits quantifier elimination. 

Proof. Let p be a constraint in IPC’*’^ with free variables x\, . . . , Xk. We define 
below a constraint p' in IPC^’*’ such that sol(p) = sol(p'): 

p'= V IPC++(((ti,... ,tfe),X)). 

Equality between sol(p) and sol(p') can be proved by using Lemma 2. 

3.2 PSPACE-Complete Satisfiability Problem 

We establish that IPC~''~'’-satisfiability is decidable in polynomial space. 
Theorem 3. -satisfiability is PSPACE-complete. 

Proof, (idea) PSPACE-hardness is immediate by reducing QBE. Satisfiabil- 
ity in PSPACE can be shown via a procedure similar to first-order model- 
checking [CM77], see details in [Dem03]. The pspace upper bound is obtained 
since the recursion depth of the procedure is polynomial and quantification over 
exponential size sets is performed, which requires only polynomial space. 

The PSPACE-completeness of IPC~''~'’-satisfiability does not play in favor of 
the tractability of this first-order theory, especially if one compares it with 
NLOGSPACE consistency problems. However, Presburger arithmetic is of much 
higher complexity and PSPACE-hardness is the optimal lower bound one can 
expect for PSPACE-complete PLTL over fragments of Presburger arithmetic. 

Corollary 1. Let p be a constraint in IPC’’”'’. Checking whether u G Dp belongs 
to Dp‘^* can be done in pspace. 

Finally (QE) holds and requires only polynomial space. 

Corollary 2. Given a constraint p in IPC"'”'’, one can compute an equivalent 
quantifier-free p' in polynomial space in \p\ (but \p'\ is in 0(2^^^)). 

This is a mere consequence of the proof of Theorem 2, Corollary 1, and the 
fact that the elements of Dp can be enumerated using polynomial space in \p\. 
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4 Complexity of 

Let (/) be a PLTL™°'^ formula with free variables xi, . . . ,Xs, constants ci < ... < 
Cn (co = — oo and c„+i = +oo), and natural numbers k\, . . . ,ku occurring in the 
context of =-atomic formulae and their 1cm is K. Without any loss of generality, 
we can assume that these sets of integers are non-empty. Let X(i^) be one plus 
the greatest i for some term occurring in <j). For instance, X((/)) = 2 with 
(f) = D(Xx =4 x-|- 1). In the sequel, we pose I = X((/)). I is the maximal number of 
consecutive states necessary to evaluate an atomic subformula of (f>. We provide 
below a procedure to decide satisfiability of (j> using only polynomial space in 

4.1 Abstraction of PLTL™°*^ Models 

A model a of (j) is a, structure ct : N x {x\, . . . ,Xs} — >■ Z such that a,0 \= (j). 
However, each a{i) : {x\, . . . ,a;g} — >■ Z can take an infinite amount of values. 
By contrast, for classical LTL, there is a finite amount of intepretations over a 
finite set of propositional variables. That is why, we abstract such valuations as 
elements of a finite set, more precisely the set ({0, ... ,n+ 1}^ x {0, . . . , A — 
1})^ X V{{1 , . . . , fc}^) with k = s X 1. The rest of this section is dedicated to 
such abstractions by using Sect. 3. 

Another way to understand a function ct : N x {x\, . . . ,Xg} — >■ Z with the 
PLTL™°‘^ semantics, is to view it as a structure ct' : Nx ({a;i, . . . , Xg} x {0, . . . ,1 — 
1}) — >■ Z such that (Cl) for alH G N, a G {1, . . . , s}, and /3 G {1, ...,? — 1}, 
cr'(i, (xq, /?)) = a' {i + 1, {xa, f3 — 1)). In that way, the pair (xq,, /?) plays the role 
of X'^Xq. So far, the profile of a' depends on (p by the value I and the number of 
variables s but one has also to relate a' with a. The condition (C2) below does 
the job: (C2) for alH G N and a G {1, . . . , s}, a'{i, (xj, 0)) = a{i, Xj). 

The lemma states the relevance of this encoding. 

Lemma 3. p is satisfiable iff there is a structure ct' : N x ({xi,... ,Xg} x 

{0, . . . ,l — 1}) — >■ Z satisfying (Cl) such that ct',0 ^ cp' where p' is obtained 

from p by replacing every occurrence ofX^Xa by (xq-,/3). 

In Lemma 3 above, we assume that a',i ^ p[xi -fr- (xjj , /3i), . . . ,Xd ■‘r- 
{xjd,Pd)\ holds true with p G IPC’*’^ and p has free variables xi, . . . ,Xd when- 
ever [xi ^ ct'(z, (xj4,/3i)), . . . ,Xd ^ a'{i,{xjd,(3d))] |= P in IPC++. For the 
Boolean and temporal operators, the relation ^ on structures ct' is defined in 
the homomorphic way. 

Let us now abstract the functions of the form ct' : N x ({xi,... ,Xg} x 

{0, ...,?— 1}) — >• Z. We pose k = s x I and we write to denote the set 

({0, ... ,n+ 1}^ X {0, . . . , A — 1})^ X P({1, . . . , kff) by similarity to the devel- 
opments made in Sect. 3. is defined as the subset of which is the image 
of - .fc}. In order to relate terms of the form X^Xq and variables Xi {i G 
{!,... , k}), we introduce the map / : {xi, . . . , Xg} x {0, . . . , Z — 1} — >■ {1, . . . ,k} 
as the bijection defined by f{{xa, ff)) = sxj3+a. The inverse function f~^ can be 
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easily defined with the operations of the Euclidean division. Details are omitted 
here. One can check that /“^(2), . . . is precisely the sequence 

(a;i, 0 ),(x 2 , 0 ),... , (xs, 0 ), (xi, 1 ), ■ • ■ I),-- - A^sJ- 1 ), that 

is, first the variables at the current state are enumerated, then the variables at 
the next state are enumerated and so on. 

Another way to understand a map ct : N x {{x \, . . . , Xs} x {0, . . . , ^ — 1}) — >■ Z 
is to view it as a map cr' : N — >■ such that (C3) for every i G N, if 

cr'(i) = ((ti, . . . ,tk),X) and a'{i + 1) = ((ti, • ■ • then 

1 . (ts+i, ... ,tk) = (t[, . . . , (shift of the values of s first variables) 

2. A n {s + 1, . . . , kA = {{u + s,v + s) : (u,v) G X', u + s < k,v + s < k} 

(preservation in X' of X restricted to the indices in {s + 1, . . . , fc}). 

One has also to relate a' with a. The condition (C4) below does the job. First 
we need a preliminary definition. Given g : {xi , . . . , x {0, . . . , ^ — 1} — >■ Z, 
we write to denote the fc-tuple {g{ f ~^ {!)),.. . ,g{f~^{k))). is simply a 
representation of g as a /c-tuple of Z^ with k = s x 1. (C4) is then defined as 
the condition: for all t G N, cr'(z) = [cr(i)^]ti> ■ >*1. The following lemma shows 
the relevance of this abstraction. 

Lemma 4. (j) is satisfiable iff there is a structure cr' : N — >■ satisfying (C3) 

such that cr ',0 ^ 4>' where 4>' is obtained from 4> by replacing every occurrence 

ofyAxa by 

In Lemma 4 above, we assume that a',i |= p[xi <— x ^ 
,/3d))] holds true with p G IPC^’*’ and p has free variables x\, . . . ,Xd 
whenever p[xi ^ ^ A IPC++(ct'(i)) is IPC++ 

satisfiable where IPC^~'’(.) is the map defined in Sect. 3.1. For the Boolean and 
temporal operators, the relation ^ on structures a' is defined in the homomor- 
phic way. The abstraction of PLTL™°‘^ models is now satisfying since the domain 
of a' in Lemma 4 is finite and is of exponential cardinality in \<j)\. 



4.2 Biichi Automata 

Using the standard approach for LTL reducing model checking and satisfiability 
problems to the emptiness problem for Biichi automata [VW94], we construct 
a Biichi automaton on the alphabet such that L(A 0 ), the language rec- 
ognized to A^, is non-empty iff 4> is PLTL™°‘^ satisfiable. The automaton A^ is 
defined as the intersection of the following Biichi automata. 

1. The automaton recognizes all the w-sequences in . Ajj<>^t is 

the structure {Q,Qo,^,F) such that Q = Qo = F = and u ^ m' iff 
u = u" and u G . By Corollary 1, one can check in polynomial space in 

\<j)\ whether u'. 
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2. The automaton A(^c^) recognizes the w-sequences satisfying (C3). A^cs) is 

the structure {Q,Qo,^, F) such that Q = Qo = F = and u ^ u' 
iff u = u" and if m = {{ti, . . . ,tk),X) and u' = ,t'k)tX') then 

{ts+i , ... Ak) = {t'l, ■ . . ,t'k-s) and X n {s + 1, . . . ,kV = {{u + s,v + s) : 
{u, v) G X' , u + s < k^v + s < k'\. One can check in polynomial time in \<j)\ 

whether u' . 

3. The automaton ^pltl recognizes the w-sequences in that satisfying (f) 
(with the extended version of the relation ^). 

The rest of this section is dedicated to construct -4 pltl based on develop- 
ments from [LMS02] and on the abstraction introduced in Sect. 4.1. As usual, 
we define the closure of (j), as the smallest set of formulae such that 

— C cl{(j)) and cl{4>) is closed under subformulae; 

— cl{(j)) is closed under negation (we identify with 'ijj); 

— 'tpU'tp' G d{(j)) implies X{tp^ 2 p') G d{4>); tpSijj' G cZ(</>) implies G 

d{4>). 

The cardinality of d{<j)) is polynomial in We define an atom of 4> to he & 
maximally consistent subset of d{(j)) defined as follows. X is an atom of 4> iff 

-AC d{(j)) and T G A; 

— for every ip G d{(p), ^ G A iff not ->ip G A; 

— for every ip A ip' G d{<p), ip A ip' G X it! ip G X and ip' G X; 

— for every ipUip' G d{(p), ipUip' G A iff either ip' G X or {ip ,X{ip\)ip')} C A; 

— for every ipSip' G d{(p), ipSip' G A iff either ip' G X or {ip,X~^{ipSip')} C A; 

— for every X~^ip G d{(p), X^^ip G X implies X~^T G A. 

We can now define the generalized Biichi automaton Apltl = (Q,Qo, — > 
, A) with tF = {Fi, . . . , Fm} C V{Q). A run p : N — >■ Q is accepting according to 
T iff for each i G {!,... , m}, p{j) G Fi for infinitely many j G N. A generalized 
Biichi condition can be easily converted to a Biichi condition. The elements of 
-4pLTL are defined as follows: 

— g = V{d{(P))- Qo = {A G g : {(P, -X-^T} C A}. 

— A A r iff 

(ATOM) A and Y are atoms of (p. 

(IPC"'’’'’) for every atomic p in A, p' AIPC^~*’( m) is IPC~'”'’-satisfiable where 
p' is obtained from p by replacing the occurrences of X^Xa by m)- 

(NEXT) for each Xip G d((p), Xip G X iS ip gY. 

(PREVIOUS) for each X^V e d{(p), X^^iP gY iSiPgX. 

— Let {'0iU(pi, . . . , be the set of until formulas in cZ((/)). A = {Fi, .. . , 

Fm} with for every i G {1, . . . , m}, Fi = [Z G Q \ ipiUipi ^ Z or pi G Z}. 

In ApLTL) one can check whether X dp Y holds true in polynomial space 
in \(p\. The conditions (ATOM), (NEXT), and (PREVIOUS) can be checked in 
polynomial-time in \(p\. However, the above condition (IPC'"'’) requires polyno- 
mial space by Corollary 1. The main difference with LTL with past remains in 
the condition at the atomic level, involving here an IPC^~''-satisfiability check. 
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Lemma 5. (j) is satisfiable ijJL{A(/,) is non-empty. 

This is a consequence of Lemma 4 and of the construction of Biichi automata 
from formulae in LTL with past [LMS02] . It is now standard to prove 

Theorem 4. Satisfiability for PLTL™°'^ is in pspace. 

The PSPACE-hardness of PLTL™°‘^ is a consequence of the PSPACE-hardness of 
LTL [SC85]. This pspace upper bound is quite remarkable: PSPACE-completeness 
of satisfiability problems in [BC02,DD03] has been mainly established for exten- 
sions of LTL over concrete domains with satisfiability problem in P (only) . 

5 Adding Logical First-Order Quantifiers 

In this section, we investigate the complexity of PLTL(IPC~'') augmented with 
the existential quantifier 3, extension denoted by PLTL^(IPC^). In the general 
case, first-order LTL is known to be highly undecidable [Aba89]. Decidability of 
PLTL^(IPC~'’) is mainly due to the fact that the constraint language IPC’*' allows 
us to use an abstraction based on a finite domain (but whose size depends on 
the input formula). A similar argument cannot be used for PLTL™°‘^ augmented 
with the quantifier 3 (denoted by PLTL^(IPC'”'')) and the decidability status 
of this extension is unknown. 

In order to define PLTL^(IPC~''), the definition of ^ is extended as follows: 
a,i \= 3 y 4> ^ there exists n G Z such that a',i ^ </>, where (1) for all j G N 
and X G VAR \ {y}, a'{j,x) = a(j,x), and (2) for every j G N, (r'{j,y) = n. 
Variables used with quantifiers are said to be global, the other ones are said to 
be local (it is not difficult to guarantee that a variable cannot be both local and 
global in a given formula). Otherwise stated, PLTL^(IPC^) is the extension of 
PLTL(IPC~'’) where the temporal operators can be in the scope of 3. 

We write PLTL'^(IPC~'’^) to denote the fragment of PLTL^(IPC~'”'’) where 
the quantifier 3 is used only in formulae of the form 3x' {x' = )Cx)/\(j), with i > 0. 
We write instead of 3a;' {x' = X'a;) A 0. The freeze quantifier f that 

allows to bind the values of variables to a fixed value is a powerful binder used for 
instance in real-time logics [AH94] in order to capture the current value of a clock. 
The decidability status of decidable LTL over concrete domains from [DD03] but 
augmented with the freeze operator is still open. We treat a particular case with 
integer periodicity constraints for which decidability follows from decidability of 
PLTL“°d. 

Lemma 6. Satisfiability for restricted to future-time operators 

and simple periodicity constraints is EXPSPACE-hard. 

The proof is based on a reduction of the 2"-corridor tiling problem into 
PLTL'^(IPC~'’^) satisfiability, see [Dem03, Theorem 17]. As a corollary, satisfia- 
bility for PLTL^(IPC~'”'’) is also EXPSPACE-hard. A preliminary version of this 
paper (including [Dem03]) abusively stated the EXPSPACE-hardness of the logic 
PLTL^(IPC~'’), this problem being still open. 
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Lemma 7. Satisfiability for P1 jT1j^(IPC~^) is in expspace. 

Proof (idea) Let (fhe& PLTL^(IPC'') formula with (1) free variables x\, . . . ,Xk', 
(2) Cl < ... < c„ are the constants in (f occurring in constraints of the 
form X ~ c with {<,>,=}; (3) ki,... ,ku occurring in the context of 
=-atomic formulae and their 1cm is denoted by K. Let D be {{i,j,l) G 
{0, . . . ,n+ 1}^ X {0,... ,K — 1} : IPC^((i, j, 1), 1)) is satisfiable}. To each 
(i,j,l) G D, we associate a constant such that is polyno- 
mial in \<j)\ and [xa ^ 1= j, I), a)). We reduce PLTL^(IPC'') 

satisfiability to PLTL(IPC^) satisfiability. The translation t is the following: 
t{p) = p for p atomic, t is homomorphic for the Boolean and temporal opera- 
tors, t(3 Xa = V<iy,z)eD ^ ^here if[xa ^ denotes the 

formula obtained from if by replacing occurrences of Xa by with adequate 

simplications. For instance (x =3 x^ -I- [1, 2]) [x^ 5] is equal to x =3 OVx =3 1. 

(j) is PLTL^(IPC'’) satisfiable iff t{(j>) is PLTL(IPC~'’) satisfiable and |t(</))| is in 

The above translation does not work if we allow atomic constraints of the 
form X = y (belonging to IPC*”*") as in □ fx'=x XD(-i(x = x')) that characterizes 
models where all the values for x are different. Such a formula is particularly 
interesting since in cryptographic protocols, nonces, ideally variables that never 
take twice the same value, are often used to guarantee freshness properties. 

6 Application to Extended Single-String Automata 

In this section, we characterize the complexity of the equivalence problem for 
extended single-string automata defined in [LMOl, Sect. 5]. This problem is cen- 
tral to check whether two time granularities are equivalent (see also [WijOO]) 
when granularities are encoded with Biichi automata recognizing exactly one 
w-word. Guards on transitions expressed by integer periodicity constraints and 
update maps on transitions provide conciseness of such contraint automata. We 
improve the known expspace upper bound from [LMOl] into a pspace upper 
bound by reducing the equivalence problem to the model-checking problem for 
PLTL™°'^-automata. Moreover, although a seemingly efficient algorithm is pre- 
sented in [LMOl], we show the PSPACE-hardness by reducing QBF. 

Let IPC* be the fragment of IPC^^^ containing Boolean combinations of atomic 
constraints of the form either x =k c or 3z {x =k z A y =k> z). Elements of 
IPC* will be guards on transitions. An update map g for the variable Xi is of 
the form either Xi := Xi + c or x* := c with c G Z. We write UPa,j^,.. to denote 
the set of update maps for the set {xi, . . . , x„} of variables. 

An extended single-string automaton A (ESSA) over the finite set of variables 
{xi,... ,x„} [LMOl] is a structure {Q,qo,vo, E,6) where 

— Q is a finite set of states and qo & Q (initial state); 

— xo G Z" (initial value of the variables); A is a finite alphabet; 
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~ SCQxSxQx IPC* X ,x„) and for every q G Q, there are exactly 

two u such that (g, u) G S, say t6i and U 2 , and in that case Ui is of the form 
(ai,gi,p,Xi}, U 2 is of the form {a 2 , q 2 ,~'P, X 2 ) where p is a constraint in 
IPC* built over variables in {x\, . . . ,x„} and in both X\ and X 2 exactly 
one update map for Xi is present. 

The elements of 5 are also denoted by q q' {p is the guard and X is the global 
update map). A configuration is a member {q,v) G Q xIX. We define the one- 
step relation A for a G A as follows: (g, v) A (g', v') iff there is (g, a, q' , X,p) G S 
such that [x\ ^ v\,. . . , ^ u„] \= p (in IPC^'*') and for every g G X, (1) if g 

is Xi := Xi + c then v[ = Vi + c, and (2) if g is Xi := c then u' = c. There is exactly 
one sequence w = a\a 2 ■ ■ ■ G such that (go,uo) ^ (<?i) Af) A . . . . The unique 
w-sequence generated from A is denoted by The equivalence problem for 
ESS A consists in checking whether given two ESS A A and A' . The 

condition on 5 is introduced in [LMOl] to handle priorities between transitions. 
For instance, the w-word associated with the ESSA below is -5“: 
a, -^x =2» 2" — 1, a: X + 1 6, T, x 0 




Lemma 8. The equivalence problem for ESSA can he solved in pspace. 

Proof. Given two ESSA A and A', we build an LTL(IPC^^^)-automaton B in 
polynomial time such that 1(B) is non-empty iff The LTL(IPC^^^)- 

automaton B is indeed a kind of product of A and A, see details in [Dem03]. 
The PSPACE bound is then a corollary of Theorem 1 and Theorem 4. 

One can also show that the equivalence problem for ESSA is PSPACE-hard even 
if the constraints occurring in transitions are either in {T,_L} or literals built 
over atomic constraints of the form x =k c, the update maps are of the form 
either x := x (identity) or x := c, and the alphabet S is binary. 

Lemma 9. The equivalence problem for ESSA is PSPACE-/iard. 

The proof of Lemma 9 (see [Dem03]) entails that the problem remains PSPACE- 
hard when the only integer k in =fc-guards occurring in A, A' is 2. Similarly, the 
problem remains PSPACE-hard when only two distinct variables are used. 
Theorem 5. The equivalence problem for ESSA is PSPACE- complete. 

7 Concluding Remarks 

We have introduced a first-order theory of periodicity constraints IPC'”'' whose 
satisfiability is PSPACE-complete and a version of LTL with past whose atomic 
formulae are constraints from IPC'”'' (with comparison of variables at differ- 
ent states). PLTL“°‘^ is a very concise logical formalism to deal with period- 
icity constraints. Nevertheless, we have shown that PLTL™”*^ model-checking 
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and satisfiability are PSPACE-complete and that PLTL^(IPC~''), the extension 
PLTL(IPC~'’) with the quantifier 3 is in expspace. As an application, we have 
also proved that the equivalence problem for ESSA introduced in [LMOl, Sect. 
5] is PSPACE-complete, even if restricted to two variables. 

In the table below, we recall the main results about LTL and PLTL over 
periodicity constraints and we indicate open problems related to them. 





LTL/PLTL 


LTL/PLTL -f i 


LTL/PLTL + 3 


{x <y,x = y} 


PSPACE-complete 

[DD02] 


? /undecidable 


undecidable 


{x < y,x = y,x < c,x = c} 


in EXPSPACE 

[DD03] 


? /undecidable 


undecidable 


IPC + {x < y,x = y} 


? 


? /undecidable 


undecidable 


IPC+ 


PSPACE-complete 
Theorem 4 


in EXPSPACE 

Lemma 7 


in EXPSPACE 

Lemma 7 


IPC++ 


PSPACE-complete 
Theorem 4 


? 


? 



The question mark ’?’ refers to the decidability status. All undecidability 
results are (more or less straightforward) consequences of the fact that LTL 
over the contraints language allowing atomic constraint of the form x = y and 
X = y 3- 1 is undecidable by simulation of two-counter machines. Among the 
open problems, we would like to emphasize that we ignore how to deal with 
in the presence of atomic constraints of the form x = y. The decidability status 
of LTL({x = y}) 3- restricted to formulae with a unique local variable is open. 
Finally, the difficulty with the decidability status of PLTL(IPC 3- {x < y,x = 
y}) is that LTL({x < y,x = y}) already characterizes non w-regular sequences 
of constraints, see details in [DD03] . 
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Abstract. In this paper we present a theorem for defining fixed-points 
in categories of sheaves. This result gives a unifying and general account 
of most techniques used in computer science in order to ensure conver- 
gency of circular definitions, such as (but not limited to) well-founded 
recursion and contractivity in complete ultra metric spaces. This gen- 
eral fixed-point theorem encompasses also a similar set theoretic result 
presented in previous work, based on the notion of ordered family of 
equivalences, and implemented in the Coq proof assistant. 



1 Introduction 

Circular definitions are pervasive and fundamental in many fields of Mathematics 
and Computer Science. However, it is well known that not all circular definitions 
are meaningful, i.e. converging. Many different criteria and techniques have been 
introduced for establishing when a circular definition is well given, and in this 
case to calculate what is its meaning — the fixed point. 

One approach is to look for syntactically decidable criteria for recognizing 
well-given circular definition. For defining objects in inductive datatypes we have 
thus, beside the traditional iteration and recursion schemata, various criteria 
such as the guarded by destructors condition (adopted in Coq [13,8]). For defin- 
ing objects in coinductive datatypes we have several coiteration and corecursion 
schemata, and the guarded by constructors condition of Coq [6]. These syntac- 
tic, intensional criteria can be completely automatized in order to mechanically 
check that a given definition is correct. However, syntactic criteria have always 
a limited expressive power, and many sound definitions are rejected. 

In order to overcome this expressivity limitation, another approach is to es- 
tablish general results about the existence of fixed points in suitable semantic 
domains. In this case, a well-formed circular definition comes equipped with a for- 
mal assessment of its convergency, according to the theoretical properties of the 
intended model. A well-known and very general method for building models sup- 
porting recursive definitions is well-founded recursion (and variations thereof) 
[12,1,7,2]. A formal definition of a function by well-founded recursion must con- 
tain also the definition of the order over which the recursion goes, and the proof 
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that the order is well-founded. In this case, the model is specified by the well- 
founded order, and a general result ensures the existence of the unique function 
recursively defined. 

Another important method for constructing models supporting circular def- 
initions is based on the Banach fixed point theorem for complete (ultra)metric 
spaces. In this case, the fixed point of a (contractive) function f : D ^ D is 
obtained by starting from an arbitrary point x G D, and iterating the / function 
LO times; this leads to a sequence 

whose limit x^j, which exists by completeness, is the desired fixed point. Despite 
its proved usefulness in many fields (e.g., in concurrency theory [3]), Banach fixed 
point theorem has some limitations. First of all, one can find several examples in 
Computer Science and Mathematics where the fixed point of a function cannot 
be reached simply by this construction, but in which it is necessary to go beyond 
u) iterations, e.g. to construct a chain 

... ,X^, f{Xu;),f'^{Xu,),f{Xu,), . ■ ■ X2u,,f{x2u), , X^2 , . . . , Xaj^-^ . . . 

by repeatedly applying the function / and limit construction, until a fixed point 
is eventually reached. This sort of transfinite constructions cannot be accommo- 
dated inside a complete ultra metric space structure. 

Another striking limitation is that in these approaches, the realm of “recur- 
sive” definitions in inductive spaces, and the realm of “co-recursive” definitions 
in co-inductive spaces are kept well apart: well-founded induction applies only to 
recursive definition and Banach fixed point theorem applies only to co-recursive 
definition. However, it is common in Computer Science to face mixed recursive- 
corecursive definitions, i.e., definitions whose soundness relies on both recursive 
and co-recursive arguments at once (see [4] for examples). Neither the sole Ba- 
nach fixed point theorem, nor the mere well-founded induction principles are 
enough for dealing with these mixed definitions. 

Therefore, what we need is a more general class of models, unifying the ap- 
proach based on Banach fixed point theorem in (ultra)metric spaces and that 
based on the well founded induction principle, with a general result for estab- 
lishing fixed points of circular definitions. This result should support “mixed” 
definitions, with both recursive and co-recursive aspects at once, and possibly 
with transfinite fixpoint constructions. This is the subject of this paper. 

A first step in this direction has been made in [4] , where we introduced a fixed 
point theorem which can be used to prove the convergency of mixed recursive/co- 
recursive definition. This theorem is a generalization of the Banach fixed point 
theorem on ultra-metric space, with the idea of allowing the construction of a 
fixed point by iteration beyond the cardinal u). An aim of [4] was to give a result 
which can be formalized and used easily inside a logical framework (e.g., Coq, or 
Isabelle as in [11]), in order to prove the existence and to effectively construct 
fixed points of functions. For this purpose, our theorem had to be constructive, 
and to deal with very simple structures. This simplicity is useful because in order 
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to apply the theorem in the proof editor (Coq, in this case) on a function / defined 
on a structure X, we need to prove explicitly that X is a instance of our gener- 
alized complete ultrametric space and that the function / is indeed contractive. 
In order to keep this overhead as low as possible, we looked for a minimal set of 
relevant and simple features of generalized complete ultrametric spaces and con- 
tractive functions. Thus, in [4] we come to the set theoretic notion of (complete) 
ordered family of equivalences, which can be seen as a generalization and a sim- 
plification at once of the notion of complete ultra metric space. Over c.o.f.e.’s 
we defined a natural and general notion of contractivity, encompassing most 
schemata usually adopted for ensuring soundness of circular definitions. The con- 
ditions that a space has to satisfy in order to be a c.o.f.e. are simple and direct, 
hence the burden on the user for applying the fixed point theorem is limited. 

One natural question arising from this previous work is whether the condi- 
tions presented in [4] (and the similar ones in [11]) were somehow arbitrary, or 
they can be explained within a more general setting — and possibly generalized 
further. In this work, we answer positively to this question. We analyze these 
constructions using categorical-theoretic tools, namely sheaf categories. Quite 
surprisingly, it comes out that the completeness conditions that we defined in 
[4] are almost equivalent to the amalgamation condition on sheaves, and there- 
fore that our generalized ultra metric spaces can be seen as a particular kind of 
sheaves. Moreover, the set-theoretic fixed point construction by well-founded in- 
duction of [4] can be extended to more general sheaves over a topology satisfying 
a sort of well-founded condition. 

In summary, the results of this work are twofold. First, we give a sheaf- 
theoretic explanation of the theory developed in [4], given by a correspondence 
between the completeness of o.f.e.’s and the amalgamation condition of sheaves. 
Moreover, in this categorical setting we can generalize further our previous fixed 
point theorem. This leads for instance to a more elegant treatment of one of the 
leading applications, i.e. the definition of functions by well-founded recursion. 

Synopsis. In Section 2 we recall the basic definitions about topological spaces, 
and presheaves and sheaves over topological spaces. In Section 3 we develop a 
general theory of fixed points in sheaf categories, unifying inductive and coin- 
ductive aspects of circular definitions. The connections between the categorical- 
theoretic results of this work, and the set-theoretic ones presented in previous 
work (and implemented in Coq) is described in Section 4. Final conclusions and 
future work are discussed in Section 5. 

2 Basic Definitions 

2.1 Topological Spaces 

Recall that a topological space is a pair (X,0{X)) where X is a set and 0{X), 
the topology over X, is a subset of p(X) closed by arbitrary union and finite 
intersection, and 0, X G 0{X). We often denote a topological space by its topol- 
ogy. We assume the reader familiar with the basic notions and properties from 
topology theory; see e.g. [9]. 
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Definition 1. A base for a topological space (X, 0{X)) is a family 1C C 0{X) of 
open sets, ranged over by K, such that for every V € 0(A) there exists a family 
of elements of the base, called a covering ofV, such that V = Uig/iCi. 

A particular example of topological space that we will use quite often is the 
following: 

Definition 2. Let {A, <) be an order. We defined the downward closed topology 
over A, denoted by 0{A), as the one whose open sets are all downward closed 
sets: for U C A, U € 0(A) if and only if for all a € U, ifb<a then b G U. 

It is immediate to see that 0{A) is closed under arbitrary intersection and union, 
thus 0{A) is indeed a topology. The smallest base for the downward closed 
topology is the set of eones on {A, <), that is the sets of the form fa = {a' \ 
a' < a} U {a}. In the following the set of cones of A will be denoted by /Ca- 
In several example we will consider the set oj of the natural numbers to- 
gether with the standard order. It is immediate to see that the open sets of 
the downward closed topology over cv are cones. In particular, by the standard 
construction of defining an ordinal number as the set of its predecessor, we have 
that 0(uj) = w-l- 1. In other words, the elements of 0(uj) are the natural numbers 
and the set w itself. 

2.2 Presheaves 

Any topology 0(X) with the subset relation forms an order (a complete Heyting 
algebra, actually). Therefore, as usual in category theory, we can see 0(X) as a 
category with exactly one morphism injjy '■ U ^ V whenever U CV. 

Definition 3. A presheaf over (the topology) 0{X) is a functor P : 0 {X)°p — >■ 
Set. Presheaves and natural transformations among them are objects and mor- 
phisms of the functor category 0{X) = Set^^^^ 

In particular we consider the following running examples: 

Example 1. (a) (Partial functions) A classical example of presheaf is the one 
formed by sets of partially defined continuous functions on a topological set. 
Let 0{X),0{Y) be two topological spaces. The presheaf Fx,y ■ 0(X)°p — >• 
Set of partial continuous functions to Y is defined on objects as follows: 



Fx,y{U) ^U^Y 



On morphisms, Fx,y is defined by function restriction: given a morphism 
inu^v : U ^ V in 0{X) (i.e. U C V), and a continuous function f : V ^ Y, 
then 



Fx,Y{inu,v){f) = flu 



i.e. the restriction of / to the elements of U. 
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(b) (Ultra-metrics) Recall that an ultra-metric space S' is a metric space whose 
distance d : {S x S) — >■ K satisfies a stronger version of the triangular in- 
equality, namely for all r, s,t € S: d{r,s) < max{d{r,t),d(t, s)}. As a con- 
sequence, balls in an ultra- metric space are equivalence classes. An ultra- 
metric space S together with a real number c G (0, 1) induce a presheaf 
Ms,c ■ 0{uj)°P — >■ Set, defined on objects by Ms,c{o() = S/=a, where =„ is 
the equivalence on S defined by 

s =a t Vn G a . d{s, t) < c" 
or, more concretely, 

S =n-|-l t 4=^ d{s, t) < S t 4=^ S = t. 

On morphisms Ms^c is defined by class immersion: given a morphism ina,a' 
in 0{uj) we define 



Af5',c(i^a,Q:0 

(c) ( Ordered families of equivalence ) Recall from [4] that an ordered family of 
equivalences (o.f.e.) is a tuple O = {A,<,X,=) where A (the carrier) and 
X (the domain) are sets, < is a well-founded order on A and = is an A- 
indexed family of equivalence relations {=o}asA on X. If U C A, we define 
the equivalence relation =[/ on A as 

x=uy Wa G U . X =a y 

Along the same lines of the previous example, given an o.f.e. (A, <, X, =) one 
can define a presheaf ■ 0{A)°p — >• Set, formed by equivalence classes, 
as Es,c{U) = Xf=jj. On morphisms Ea,x is defined by class immersion in 
the same way of Ms^c- 

Notation. Let P : 0{X)°p -g- Set he a, presheaf, and inu,v ■ U ^ V a morphism 
between two open sets of the topology (i.e. an inclusion). For a G Py, the element 
Pinu,v(a) G Pu will be denoted by a\u as a syntactic shorthand. 

2.3 Sheaves 

We consider now the category of sheaves Sh(A) over a topological space 
(A,0{A)), as defined in [10, II. 10]. 

Definition 4. A presheaf P : 0 {X)°p Set is called a sheaf if it satisfies the 
following property: for all U G 0(X), for all open covering {Ui}i^i of U (that 
is U = Ui), and for all sections G PuAiei pairwise compatible (that 
is, for all i,j G I: Si|( 7 .nc/„ = Sj\uinUj)> there exists a unique s G Pu (called the 
amalgamation j such that for all i G I: sjfjj = Sj. 

The full subcategory ofO{A) whose objects are sheaves is denoted by Sh(A). 
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By applying this definition to the three running examples we have: 

Example 2. (a) (Partial functions) For any two topological spaces 0{X), 0{Y), 
the presheaf Fx^ is always a sheaf. In fact given an open set U G 0{X), 
and an open covering of U, a family of sections {[fi] G Fx,Y{Ui)}i^i 

is pairwise compatible if for every pair i,j € I we have Vx G UiDlIj . fi{x) = 
fj{x). The amalgamation [/] of this family can be defined as 

/(x) = /i(x) with X GUi 

It is immediate to check that the definition is independent from the choice 
of i and therefore correct. 

(b) (Ultra-metrics) The presheaf Ms,c is a sheaf if and only if the space S is 

complete as a metric space. In fact, given a complete metric space S, a 
cardinal a G O{co), and a set {ni}i^i of cardinals having a as lub (i.e., a 
covering of a), the sections {[si]}ig/ in Ms^c are pairwise compatible if for 
every pair i,j G I, whenever < nj we have that d{si,Sj) < If a 

is a natural number then there exists Ui = a and the amalgamation point 
can be readily defined as s = s*. If a = w then one can choose an increasing 
sequence of naturals Uk^ < < Uk^ < . . . ; it is then immediate to check 

that Sn^g , s„k^ 1 • is a Cauchy sequence whose limit (which exists by 

completeness) is the amalgamation point. 

The proof of the other implication, namely that if Ms f, is a sheaf then S is 
a complete metric space, is almost immediate. 

(c) ( Complete ordered families of equivalence ) Given an ordered family of equiv- 
alences (A, <,X, =), the presheaf Ea^x is a sheaf if and only if the order 
family of equivalence (A, <,X, =) is complete, in the sense of [4]. We will 
examine the connection between complete o.f.e.’s and sheaves in more detail 
in Section 4.2 below. 

3 Fixed Points in Sheaf Categories 

In this section, we present a general result for defining fixed points in sheaves. 
Our aim is to unify the coinductive approach, typical of complete metric spaces, 
and the inductive approach of definitions over well-founded orders. The amalga- 
mation condition of sheaves provides what is needed for dealing with coinductive 
parts; on the other hand, the inductive counterparts corresponds to requiring a 
well-founded condition on the topology: 

Definition 5. A base K. for a topological space (X,0{X)) is said well-founded 
*/(^)C) is a well-founded order, i.e., there exists no succession of base elements 
Ki,K 2 , K^, . . . G /C such that Ki D K 2 D .... 

A topology is well-founded if it has a well-founded base. 

In particular, an order (A, <) is well-founded if and only if the downward closed 
topology on A is well-founded. Indeed, the set of cones ICa on A form a minimal 
base for 0{A); therefore, 0{A) is well founded if and only if /Ca is, and moreover 
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the well-founded condition on 1C a is immediately equivalent to the well-founded 
condition for {A, <). 

An example of not well-founded topology is the real line M with the Euclidean 
topology. Let JC be any basis for K, and K G 1C. Let us consider any open interval 
U C K, and let V be the open interval formed by the first half of U; clearly V is 
open, and therefore there exists K' G K. such that K' C V C U C K . Repeating 
this procedure, we can define a non well-founded chain K G K' G K " .... 

In order to define a notion of contractivity for morphisms on (pre)sheaves we 
need to introduce the following definition: 

Definition 6. Let 1C he a base for a topological space (X,0{X)). We define the 
predecessor operator p : 0{X) -G 0{X) as follows 

pu = \J{K G k:\kgu} 

The operator p is clearly monotone so it can he seen as a functor on 0(X). 
Moreover, p is decreasing (for all U G 0(X): pU C U), so there exists a (unique) 
inclusion natural transformation i : p — ^ Id. 

Note that p differs from the identity only on the elements of the basis and 
that in the topology 0{uj) we have that pn = n — 1 and pu> = ui. 

In the following, for P : 0{X)°^ — >■ Set, we will denote by Pp : 0{X)°p — >■ Set 
the presheaf obtained by composition, i.e. {Pp)u = PpU and for inu,v : U ^ V, 
{Pp)ini,y = Ppinu.v • PpV PpU- Similarly, Pi is the natural transformation 
Pi : P — ^ Pp defined by componentwise application: for U G 0(X), (Pi)u = 
Piu = Pinpu.u ■ Pu PpU (since \u = inpu,u ■ pU — >■ U). 

Definition 7. Given a well-founded base K. for the topology 0(X) and a 
presheaf P : 0 (X)°p -g Set, a natural transformation f : P — > P is contractive 
(w.r.t. 1C) if it factorizes along the natural transformation Pi : P — > Pp, i.e., 
there exists a natural transformation f : Pp — > P such that f = f o P\: 



P — P that is, for U G 0{X) : Pj/ — Pu 




It is interesting to observe that the above definition of contractivity encom- 
passes most standard and well-known criteria used for ensuring existence of a 
fixed point, such as the “guarded by constructors/destructors” conditions. More 
generally, these criteria are subsumed by the following examples: 

Example 3. (a) (Recursive definitions of functions) Given a well-founded rela- 
tion < on a set A and a G A, let us denote with Jo the set Jo = {5 | h < a}. 
Then a recursive definition of a function A — >■ P is given by a function G 
which maps an element a G A and a function / : Jo — >■ P to a value in P.^ 

^ Using dependent types, the arity of G is G : riaeA(J® B) ^ B. 
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In this setting the function h : A ^ B recursively defined by G is the unique 
function satisfying the equation: 

h{a) = G(a, /i|ja) 

Let consider the downward closed topology, 0{A), on the partial order A 
and the coarsest topology on B, i.e. the topology having as open sets just 
the empty set and total space B. Given these two topological spaces, we 
can consider the sheaves of partial continuous Fa,b and we have that the 
function G induces a natural transformation G* : Fa,b — > Fa,b in Sh(A) 
defined as follows: 

GUf) = >^a.G{a,f\ia) 

It is straightforward to prove that G* is indeed a natural transformation. 
Moreover, G* is contractive w.r.t. the base ICa, formed by the cones of A: 
indeed, we can define G* by 

G*u{f\pu) — Aa.G(a, (/|pc/)|ja) 

The above definition is correct since for each U € 0(A) and a G U we have 
that Jo C p[7 and therefore f\pu)\\a is well defined. 

(b) (Ultrametrics) Let {S,d : {S x S) ^ [Oj 1]) b® an ultrametric space, and 
f : S ^ S a, function contractive with constant c G [0, 1) (in the metric d). 
Then, / induces a natural transformation f* : Ms^c — ^ AIs^c given by 

fuiMu) = imh 

Clearly /* is well-defined, and moreover contractive in the sense of Definition 
7: the factorizing natural transformation /* is given by 

f*u([s]pu) = [f{s)]u 

The contractivity condition on the function / ensures that this definition 
is correct, i.e. it preserves equivalences. Quite obviously /* satisfies the re- 
quired factorization. 

(c) ( Ordered families of equivalence ) Using the same pattern of the two previous 

example we can reduce the notion of contractivity on o.f.e.’s [4, Definition 
5], to the contractivity on presheaves of Definition 7. We will examine in 
detail this case in Section 4.1 below. (Example 3) 

Theorem 1 (General Fixed Point Theorem). Let A he a topology with a 
well-founded base 1C, and P : Sh(7l) a sheaf on A. Then, every natural trans- 
formation f : P — > P contractive w.r.t. tC has a unique fixed point, i.e. there 
exists a unique natural transformation /i : 1 — > P in Sh(zl) such that fopt = p,. 

Proof. In order to define p. = {pu ■ I ^ Pu \ U G 0 {A)°p}, it suffices to define 
only the components on base elements, {pK G Pk \ K G /C}, and prove that 
they satisfy the naturality condition, i.e., for all K, K' G 1C, 

\i K' Q K then pk\ K' = PK' 



( 1 ) 
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In virtue of this fact we can then extend by amalgamation the definition of /x to 
any open set U. liU = Ujg/itTj, then ^jj G Pu is defined as the amalgamation 
of the sections {it/c- G Pri | f G /}, which are pairwise compatible by (1). 

We will define the components ycx and prove the equality (1) at the same 
time, by well founded induction on the subset relation on the elements of the 
base 1C. The definition of fj. on elements of the base is the following: 

= 1k° 

where ytpK ■ 1 — >■ PpK is defined as the amalgamation of the morphisms {/xxc' : 
1 — >■ P'j^ I K' C K}. The equality (1) is proved by observing that the following 
diagram commutes: 



Mk' 




In fact, yiK = f k ° and yiR' = f k' ° t^pK' by definition, while the square 
commutes by naturality of /. It remains to prove that Pin^j^, ° Mpif = Mp/CG 
i.e. that yLpK\pK' = t^pK'- Since for all K” C K' we have that {yLpK\pK')\K" = 
Mpiclxf" = MpiC' it follows that yipK\pK' is the amalgamation point of the elements 
{yiK" I K" C K'} and therefore equal to ^ipK'- 

In order to prove the fixed-point equality / o /i = /x it is sufficient to prove 
that it holds on the element of the base. Indeed, for each K € 1C the following 
diagram commutes: 

IJ-K 

1 



in fact by equality (1) Pinpx,K° t^K is the amalgamation point of the morphisms 
{yiK' I K' C K} and therefore PiUpK,K ° = Mpic, while fx = f k ° Pin-pK.K, 

by contractivity of /. 

Given any other fixed-point p, the following diagram commute 

PK 

1 
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because pK = /k ° Pk by hypothesis, while fK = Ik ° -PmpK.Ki by contractivity 
of / and o Pk = PpK by naturality of p. 

Now we can finally prove, by inductions on the subset relation on the elements 
of the base, that for all K G JC pK = Ptc- In fact by inductive hypothesis for all 
K' C K pk' = Pk', so PpK = PpK, since both arrows are amalgamation points 
of equal sections. From this, by the last two diagrams, we have the thesis. □ 

4 Ordered Families of Equivalences and Presheaves 

In previous work [4], we have introduced and studied the notion of (complete) 
ordered families of equivalences, with the aim of developing a constructive, set- 
theoretic approach (implemented in Coq) allowing for defining general fixed point 
by mixed inductive/coinductive definitions. In this section, we develop a cate- 
gorical account of (complete) o.f.e.’s, and relate them to the theory developed 
in (pre)sheaf categories in Section 3. 

4.1 Relating o.f.e.’s to Presheaves 

In Example 1(c), we have recalled the definition of ordered family of equivalences, 
and shown that any o.f.e. can be seen as a presheaf. More precisely, we show now 
that the category of presheaves over A is connected to the category of o.f.e.’s by 
an adjunction. 

Definition 8. Let (A, <, X,=), (A,<,X',=') be two o.f.e.’s on the same order 
{A, <). A morphism f : {A, <,X,=) — >■ {A, <,X' , =') is a function f : X ^ X' 
such that for all x,y G X, for all a G A, if x =a y then f{x) ='^ f{y)- The 
o.f.e. ’s over {A, <) and their morphisms form a category denoted by Ofe{A, <). 

The definition can be generalized further. A morphism between two o.f.e.’s on 
possibly different orders, is given by a pair {h, f) : (A, <, X, =) — >• (A', <', X', =') 
such that h : (A', <') —>■ {A, <) is monotone and / : X — >■ A' is such that for all 
x,y G X, for all a G A, A x =ha' V then f{x) =^, f{y). This gives rise to the 
category Ofe of all ofe’s over any well-founded order, which is a fibred category 
over the category W/o of well-founded orders. However, in the following we will 
dwell only in a fiber of this category at once, i.e., we will consider only the more 
restricted definition of morphisms. 

We can define a functor F : Ofe{A, <) — > 0(A) as follows: 

— for O = (A, <,X, =) an o.f.e., and U G 0(A), let {Fo)u — X!=u, where 
the equivalence relation =u over X is defined as 

X =u y Va G [/ : x=ay . 

For injjy ■ U ^ V a (unique) morphism in 0(A), we define Fo{inu,v) '■ 
X/=v — >■ Xj=jj as Fo{inuy){[x]=y) = [x\=^j. (In the following, for sake of 
simplicity, we will denote [x]=.^ just by [x\u). 
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— for O = {A,<,X,=),0' = {A,<,X',=') and / : O ^ O' in Ofe(A,<), 
we define the natural transformation Ff : Fq — > Fq whose component 
{Pf)u ■ X/=u X'/='jj is defined by (F/)[/([x]=^) = [f{x)y^. 

The definition of the functor G : 0{A) — ^ Ofe{A, <) is as follows: 

— the action of G on the object P is defined as Op = {A, <,Pa,=), where for 

all a e A: X =a y PirHa,Ai^) = ^*n 4 .a,A(y). ie if x\^a = y\ia 

— If m : P — > Q is a morphisms (i.e., a natural transformation) between two 
presheaves over 0{A), we define Gm — 'niA ■ Pa Qa- Let us prove that 
Gm = rriA is a morphism in Ofe{A, <). Let x,y G Pa such that x =a y, that 
is Pinji.a.A(^) = P^ni,a,A(y)i then, by naturality of m, 

Q^n^a,A(^A{x)) = mla{P^n^,,Ax)) = mla{P^n^,,Ay)) = Q ^n^,,AmA{y)) 

an thus mA{x) =a mA{y) in Qa- 

The above definition is motivated by the fact that Pa is the limit of the functor 
P and that Pin^^^A ■ Pa -a- P^a are the relative projections. 

The functors P, G form an adjoint pair: 

F ^ 

Proposition 1. Ofe{A, <)AAAo{Aj- 

G 

Proof. Let O = {A, <,X,=) be a o.f.e., and P : 0{A)°p -a Set a presheaf over 
0{A); we prove that Hom^^(Po,L') = Ao\nofe(A,<)(.0,Gp). 

For each natural transformation m : Fq — > P, we can define the corre- 
sponding map f : O ^ Gp simply as f : X ^ Pa, f{x) = m^([a;]=^). 

On the other hand, for each morphism on the Ofe, f : O ^ Gp we define the 
corresponding natural transformation m : Fq — > P in 0{A) as rnu{[x]=A = 
f{x)\u, for each U G 0(A), x G X. It is readily proved than m is a natural 
transformation . 

It is easy to check that this bijection is natural in O and P, hence the thesis. 

□ 



Both F and G are neither full nor faithful. 

Notice also that GF ^ /d; in fact GF : Ofe{A, <) — Ofe{A, <) is a quotient 
operation on the o.f.e. ’s. Indeed, if O = (A, <,X, =) is an o.f.e., then GFq = 

{A,<,X/=a,= ) where =^= flaeA =a and [x] ='„ [y] x =|a y- 

Finally, it is easy to check that these functors respect the two notions of 
contractivity on o.f.e. ’s and on presheaves. Recall the definition of contractivity 
on o.f.e. ’s from [4]: 

Definition 9 (Contractivity on o.f.e. ’s). Given an o.f.e. O = (A, <,X, =) 
a function f : X X is contractive if for every pair of elements x,y G X and 
for every element a in A, if\/a' < a . x =a' y, then f{x) =a f{y). 
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Then, contractive maps on o.f.e.’s correspond to contractive natural trans- 
formations on presheaves: 

Proposition 2. (i) Let O = {A,<,X,=) he an o.f.e., and let f : O ^ O 
be a eontractive morphism. Then, Ff : Fq — >■ Fq is a contractive natural 

transformation in 0(A). 

(ii) Let m : P — > P he a contractive natural transformation in 0{A). Then, 
Gm ■ Gp — >■ Gp is a contractive morphism in Ofe{A, <). 



4.2 Complete Ordered Families of Equivalences and Sheaves 

The general fixed point theorem of [4] applies to o.f.e.’s where all “Cauchy- like” 
successions have limits. We recall the following definitions from [4] : 

Definition 10. Let O = (t1, <,X, =) be an o.f.e., L a subset of A, and (xa)ae/ 
a family of elements in X, indexed by L. 

— We say that {xa)aei is coherent if\/a',a € I .a' < a Xa' =a> Xa. 

— We say that {xa)aei ho,s as a limit y if\/a' € I . Xa> =a' V- 



Definition 11. A complete ordered family of equivalences (c. o.f.e.) is a tuple 
0= (t1, <, X, =, lim.g^, lim.<.) such that 

— (A, <,X, =) is an o.f.e.; 

— lim.g^ is a function such that for all coherent families (xa)aeA, hniaeA Xa 
is a limit for (xa)aGA; 

— lim.<. is a function^ such that for all a € A and for all coherent families 
{Xa')a'Gla-' ^i^a'<aXa' is a limit for (Xa')a'efa- 

For each well-founded order {A, <), the complete o.f.e. ’s over it and their mor- 
phisms as o.f.e. ’s form a category denoted by Cofe{A, <). 

In this definition of c. o.f.e.’s we explicitly require the existence of two func- 
tions providing the limits for each coherent family. However, in order to establish 
an adjuctions with the category of sheaves we need to adopt a weaker notion of 
completeness, where we only require existence of limits without asking for the 
limit functions: 

Definition 12. A weakly complete ordered family of equivalences is a tuple 
O = {A, <,X,=) which is an o.f.e. and 

— every coherent family of the form {xa)aeA has a limit, 

— for each a G A, every coherent family of the form {xb)beia have a limit. 

For each well-founded order {A, <), we denote by wCofe{A, <) the full subcategy 
of Ofe{A, <) whose objects are weakly complete o.f.e.’s. 

Using a “dependent type” notation, the arity of the two limit constructors is lim.gA : 
{A^ X)^ X and lim.<. : IlaGAU® ^ X)^ X. 



2 
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Clearly, one can define a forgetful functor U : Cofe{A,<) ^ wCofe(A, <) 
and there is an immersion functor wCofe{A,<) ^ Ofe{A, <). Moreover, the 
category wCofe{A, <) is connected also to a suitable subcategory of the category 
of sheaves Sh(A) over the topological space (A,0{A)), as we will see next. 

Let S be the full subcategory of Sh(^) of epi-preserving functors, i.e. of 
sheaves S such that for allU CV G 0{A) : Sinu,v ■ Sy ^ Su is epi^. Clearly we 

have the inclusions £ ^ Sh(A) ^ 0(A). We will show next that the adjunction 
of Proposition 1 can be lifted along the two inclusions wCofe{A, <) ^ Ofe{A, <) 
and £ 0{A), by proving that F and G maps weakly complete o.f.e.’s in sheaves 

and sheaves in weakly complete o.f.e.’s, respectively. 

Let us prove that for O = {A, <,X,=) a weakly complete o.f.e., the presheaf 
S = Fq is indeed a sheaf. Let U be an open subset of A, and U = Uie/ 
an open covering of U. Let {s^ G be a family of pairwise compatible 

sections; more explicitly, for all i,j G I, we have that Si G Xj=ij^, Sj G Xl=u. 
and S{ini){si) = S{inj){sj) where m* : Ui fl Uj C Ui and iuj : Ui fl Uj C Uj. We 
have to define a unique amalgamation of these sections, that is a unique s G Su 
such that for all i G I : S{in){s) = Si, where in : Ui C U. 

For each a G U, there exists an open set Ui in the covering of U such that 
a G Ui. Let Sa = S{ina){si) G S^a = Xl=ia (where iua : fa C Ui)-, this 
definition is well given because it does not depend on the particular Ui we choose, 
since the sections are pairwise compatible. For each a in U, therefore, let us 
choose a representant Xa G Sa of the equivalence class Sa', we get thus a family 
{xa)a^u which is coherent (again for the compatibility of the sections). Therefore, 
since O is a weakly complete o.f.e. and for the arguments used in [4, Prop. 1], 
there exists the limit x for the coherent family {xa)a^u- We can define the 
amalgamation s as s = [a;]=jj. This amalgamation is unique: let s' G Sjj = Xj=u 
be another partition such that for all i G F. s'\ui = Si in Xf=u.. Let y G s'; since 
s'\u^ = Sinu. [j(sO> this means that for all i G I : i-®- V =Ui x. 

Since =u= Hie/ =Un we have that y =u x, and hence s' = [y]=^ = [x]=^ = s. 

On the other hand, we prove that the functor G maps epi-preserving sheaves 
to weakly complete o.f.e.’s. Let S : 0{A)°^ -G Set he a sheaf in £, we prove 
that the o.f.e. Gs = {A, <, Sa, =) has all the required limits. Let a G A and let 
(x{,)bgjo be a coherent family in Sa- To each Xb we associate an element Sf, = 
A^Xb) G S^b- It is immediate to see that this family {sf,} forms a pairwise 
compatible section, and that Uheja'l'^ ~ ~ J®- Therefore, there exists a 

(unique) amalgamation s G Sja- Since S is epi-preserving, ^ : Sa ^ S] a is 
epi, and therefore there exists an a: G S'^ such that x\\a = s. This means that 
for all 6 G Jo : x\ib = Sb = that is x =b Xb, as required. 

A similar (and simpler) argument shows that any coherent family of the form 
{xa)aeA lias limit. We have thus proved the following 

F __ 

Propositions. wCofejA, <) -L ^ £ 



Each inu,v '■ V ^ U in 0{A)°‘‘’ is epi because inu,v U ^ V is mono in 0(A). 



3 
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The diagram aside summarizes the relationships 
between the categories introduced in this paper. The 
functor a : 0{A) — >■ Sh(A), left adjoint of the inclu- 
sion functor i, is the associated sheaf functor. Intu- 
itively, a(P) is the “closest” sheaf to the presheaf P, 
i.e., the “best approximation” of P where the GFPT 
can be applied. 

This diagram points out also the GFPT over 
Sh(^) is strictly stronger than the previous result 
over c.o.f.e.’s [4, Theorem 1]. Indeed the latter can 
be derived as a corollary of the former: 

Corollary 1 (GFPT for c.o.f.e.’s). Let C = (A, <, X, =, lim.g^, lim.<.) he a 
c.o.f.e., and f : C ^ C a contractive map. Then, there exists x € X such that 
f{x) =A X. Moreover, for all y & X such that f{y) =a y, we have that x =a y. 

Proof. By applying the forgetful functor, U{C) = {A, <,X,=) is a weakly com- 
plete o.f.e., and / is a contractive map on U{C). For Proposition 3, S' = F{U (C)) 
is an epi-preserving sheaf, and in particular it is a sheaf in Sh(T). By Propo- 
sition 2, P(f) : S — S is contractive, and therefore, by Theorem 1, there 
exists a unique natural transformation /i : 1 — >■ S such that F{f) o y = y,. In 
particular, this means that /i^ : 1 — >■ S is a partition class (i.e., yA G X/=a) 
such that F{f)A{yA) = y-A- By definition of F, this means that for all x G yA- 
[f{x)]=A = y-A = [2^]=a> that is, f{x) =A X. If there is another y £ X such 
that f{y) =A y, then [y]=^ = [f{y)]=^ = [f{x)]=^ (by uniqueness of to), and 
therefore [y]=A = N=a> that is x =a y. □ 



Ofe{A, <) ^ X ^ 0(^ 
I A 

a. H i 

Sh(A) 



wCofe{A^ <) ^ ^ t 

G 



5 Conclusions 

In this paper we have presented a novel approach to the problem of establishing 
fixed points of circular definitions. Our approach, based on categories of sheaves 
over “well-founded” topologies, unifies the well-founded induction principle and 
a generalization of Banach theorem. This result encompasses most known tech- 
niques used in Mathematics and Gomputer Science for ensuring convergency of 
circular definitions, and moreover it can be applied also to definitions which are 
both recursive and corecursive at the same time. 

Our work has been motivated also by the need of understanding better and 
generalize a similar set theoretic result, based on the notion of “(complete) or- 
dered family of equivalences” [4]. In fact, we have shown that c.o.f.e.’s can be 
seen as a particular case of sheaves on well-founded topologies, suited for im- 
plementation in proof assistants. However, the generality we have achieved in 
this paper goes well beyond this; for instance, the new model offers a cleaner 
and more elegant treatment of the important case of functions defined by well- 
founded recursion. 
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Future work. As pointed out before, the theory of sheaves over well-founded 
topologies presented in this paper is stronger than the theory of c.o.f.e.’s im- 
plemented in Coq (and the similar development in Isabelle/HOL). A way for 
gaining this expressive power could be to formalize directly the theory presented 
in this paper as it is; however, such a formalization would be quite different from 
the one of c.o.f.e.’s — and likely not as easy to use. Another possibility would be 
to look for a counterpart of Sh(A) within the category of o.f.e.’s. In other words, 
we conjecture the existence of a reflective subcategory C ^ Ofe{A, <), such that 
Cofe{A, <) ^ C and connected to Sh(A) by the adjunction F -\ G. This would 
complete the diagram above, and would lead to a compact, implementation- 
oriented representation of sheaves. 

In this paper, we have considered presheaves and sheaves over a precise kind 
of topology, namely the one formed by downward closed sets. It is interesting 
future work to understand at what extent the notions and results of this paper 
can be generalized to other topologies. For instance, the key notion of “well- 
founded topology” should be readily adapted to general Grothendieck topologies. 

Another interesting future work is to consider the internal language of the 
category Sh(A). As for any topos, Sh(A) supports directly the interpretation of 
a typed (intuitionistic) higher order logic, but moreover, we should be able to 
extend this language with specific constructors and rules for flxpoint definition. 
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Abstract. Motivated by recent work on the derivation of labelled tran- 
sitions and bisimulation congruences from unlabelled reaction rules, we 
show how to solve this problem in the DPO (double-pushout) approach 
to graph rewriting. Unlike in previous approaches, we consider graphs 
as objects, instead of arrows, of the category under consideration. This 
allows us to present a very simple way of deriving labelled transitions 
(called rewriting steps with borrowed context) which smoothly integrates 
with the DPO approach, has a very constructive nature and requires only 
a minimum of category theory. The core part of this paper is the proof 
sketch that the bisimilarity based on rewriting with borrowed contexts 
is a congruence relation. 



1 Introduction 

In the last few years the problem of deriving labelled transitions and bisimula- 
tion congruences from unlabelled reaction or rewriting rules has received great 
attention. This line of research was motivated by the theory of bisimulation 
congruences for process calculi, such as the rr-calculus [22]. A bisimilarity de- 
fined on unlabelled reduction rules is usually not a congruence, that is, it is not 
closed under the operators of the process calculus. Congruence is a very desir- 
able property since it allows us to replace a subsystem with an equivalent one 
without changing the behaviour of the overall system and futhermore helps to 
make bisimilarity proofs modular. 

Previous solutions have been to either require that two processes are related 
if and only if they are bisimilar under all possible contexts (see [17]) or to derive a 
labelled transition system manually. Since the first solution needs quantification 
over all possible contexts, proofs of bisimilarity can be very complicated. In 
the second solution, proofs tend to be much easier, but it is necessary to show 
that the labelled variant of the transition system is equivalent to the unlabelled 
variant. 

So the idea which was formulated in the papers of Leifer/Milner [13,14], 
Sewell [24] and Sassone/Sobocinski [23] is to automatically derive a labelled 
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transition system such that the resulting bisimilarity is a congruence. A central 
concept of this approach is to formalize the notion of minimal context which 
enables a process to reduce. Consider, for example, the CCS process a.P. It 
reduces when put into the contexts _ | a.Q and _ | a.Q \ b.R, but one is interested 
only in the first context, since it is in some sense smaller than the second one. 
This yields the labelled transition 



a.P P I Q, 

saying that a.P put into this contexts reacts and reduces to P | Q. Using all 
possible contexts as labels would also result in a bisimulation congruence, but 
we do not gain anything compared to quantification over all contexts. 

In [13,14] the notion of “minimal context” is formalized as the categorical 
concept of relative pushout respectively idem pushout. This notion has also been 
applied to bigraphs [10]. However, the theory is complicated by the fact that one 
can not work with isomorphism classes of graphs, since in this case the category 
under consideration would not possess all necessary relative pushouts. Thus one 
is forced to give unique names to all edges and nodes in a graph and to either 
work in a precategory or to construct a suitable category starting from such a 
precategory. Another approach, given by Sassone and Sobocinski [23], is to work 
with cells inside a 2-category. 

It is our aim to achieve similar results in the context of graph rewriting [20] , a 
framework which allows to model dynamic and concurrent systems consisting of 
interconnected components in a natural and intuitive way. Many process calculi 
such as the 7r-calculus [9,19,11] and the ambient calculus [8] can be translated 
into graph rewriting. We are specifically interested in the double-pushout (DPO) 
approach [2], one of the standard approaches to graph rewriting. So far, there 
is not yet a uniform theory of bisimulation for graph transformation systems. 
Using the concepts explained earlier would be possible in theory, but contradicts 
the philosophy behind graph rewriting where graphs are considered only up to 
isomorphism. Furthermore, deriving labels via relative pushouts is entirely non- 
trivial and can be rather complicated. 

The approach which is presented in this paper is motivated by the work of 
Leifer/Milner and other contributions to this area, but does not directly rely on 
their theory. Instead we present a very simple way of deriving minimal contexts — 
we call them borrowed contexts — which smoothly integrates with the DPO ap- 
proach and which has a very constructive nature. The only categorical concepts 
that are needed are standard pushouts and pullbacks. The main difference to 
previous approaches is that in our case graphs are objects and not arrows of the 
category under consideration. Our arrows instead are graph morphisms which 
provide the necessary tracking information for nodes and edges which, in the 
case of graphs as arrows, can only be provided by adding support to a category. 
This work is based on ideas presented in [3], a paper which points out similari- 
ties and differences between Milner’s bigraphs [10,16] and the DPO approach to 
graph rewriting. 

Our main result states that bisimilarity defined on graph rewriting with bor- 
rowed contexts is indeed a congruence relation (see Theorem 7). 
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The paper is structured as follows: In Section 2 we will give a short introduc- 
tion to the DPO approach, followed by the definition of rewriting with borrowed 
contexts (Section 3). Section 4 provides the proof ideas that the resulting bisim- 
ilarity is a congruence. After having introduced a proof technique we continue 
with an example showing borrowed contexts at work in Section 5. 

This paper requires only basic knowledge of category theory [15]. In fact, 
we only need pushouts and pullbacks, including some general as well as specific 
preservation, composition and decomposition properties. The general properties 
hold in any category and the specific ones at least in the category of sets and, 
as needed in the paper, in the category of graphs. The specific properties are 
presented in our technical report [6], which also contains the full proof of our 
main result. 

2 The DPO Approach to Graph Rewriting 

We will first define a family of categories of graphs and graph morphisms, being 
as general as possible by defining graph structures [5], which include different 
forms of graphs such as directed graphs and hypergraphs. 

Definition 1 (Graph Structures). A graph structure signature GS = 
(S, OP, 

27) consists of a set of sorts S, a family {OPs,s')s,s'eS of unary operator 
symbols and a family {Ss)seS of labelling alphabets. 

A graph structure A over GS is a sort-indexed family (Ag)sg 5 of carrier 
sets together with a sort-indexed family of labelling functions {lf)sss such that 
if'. As — >■ 27^ and an OP-indexed family of mappings {op^)op^op such that 
op^: As As' if op G OPs,s'. 

A graph structure morphism (p: A ^ B is a sort-indexed family of mappings 
ip = {ips'.As — >■ Bs)s£S such that lf{x) = lf{(p{x)) and op^{(p{x)) = ip{op^{x)) 
for all X & As. A graph structure morphism ip is called injective if all its map- 
pings are injective. It is an isomorphism if all mappings are bijective. An iso- 
morphism of the form ip: A ^ A is called automorphism. 

The simplest graph structure signature has two sorts: node and edge and 
two operator symbols s, t G OP edge, node standing for “source” and “target”. 
Graph structures over this signature are ordinary labelled directed graphs and 
graph structure morphisms are standard graph morphisms. The sets Snode and 
Sedge Contain node respectively edge labels. In the following we will say “graph” 
instead of “graph structure” and “graph morphism” or just “morphism” instead 
of “graph structure morphism” . 

A category of graphs and graph morphisms has all pushouts and pullbacks, 
which can be constructed componentwise in the category Set. Furthermore, 
constructing the pushout or pullback of two injective morphisms always gives 
us two injective morphisms. Working exclusively in the category of injective 
morphisms is not possible since this category does not have all pushouts and 
pullbacks, which is due to missing non-injective mediating morphisms. So far we 
can obtain our main result (Theorem 7) only if we work with injective morphisms, 
which is, however, a natural requirement. 
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Definition 2 (Graph Transformation System). A rule or production is a 
pair {ifL'I — >■ L,ipn:I — >■ R) of injective graph morphisms. It can he applied 
to a graph G, resulting in a graph H , if there is an injective match morphism 
ip: L ^ G and we can find a graph G and morphisms such that the two squares 
in the following diagram are both pushouts. 







A graph transformation system is a set V of productions. 

The diagram above consisting of two pushouts has led to the name double- 
pushout or DPO approach. The intuition behind this approach is to find a left- 
hand side L in a graph G, remove L apart from the interface / and to attach R 
to the interface in the remaining graph G, resulting in H . 

Note: Instead of writing (pr' I ^ L, / — >■ i?) we will in the following 
abbreviate a rule by {L I R), or even (L ^ i?) if there is no danger 

of misunderstanding. This short form will be used for other morphisms as well. 

We use a running example throughout the paper which is deliberately kept 
very simple. Figure 1 shows three spans L ^ I ^ R which form the rule set V of 
our example graph transformation system. The graphs are directed graphs with 
edge labels where nodes are unlabelled (or are labelled with a dummy label). 
We give rules for a simplex connection S and a duplex connection D over both 
of which messages M — represented by a loop — are sent. A duplex connection 
can be used both ways, whereas a simplex connection has a fixed direction. 
The connections themselves are preserved and are therefore in the interfaces of 
the rules. An alternative choice, which is also covered by the concept of graph 
structures, would have been to model this situation by hyper graphs with unary 
edges (for messages) and binary edges (for connections). 
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M 
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O KD 



D 

O KD 



M 



Cy- 

M 



D 



D 



-O 



[simplex] 



[duplex- 1] 



[duplex-2] 



Fig. 1. Rules of a graph transformation system. 



In order to state congruence results, we first need a notion of contexts and 
contexualization. 
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Definition 3 (Graphs with interfaces and graph contexts). A graph G 
with interface J is an injective morphism J ^ G. Furthermore a context or 
cospan consists of two injective morphisms J ^ E ^ J . 

The composition of a graph with interface J ^ G and a context J ^ E ^ J 
is a graph with interface J ^ G which is obtained by constructing G as the 
pushout of J ^ G and J ^ E. 



J >E< j 

G >g"' 

Note that composition is defined only up to isomorphism, since the pushout object 
is unique only up to isomorphism. 

This notion of interfaces, contexts and composition is within the spirit of 
the DPO approach where the pushouts for G and El in Definition 2 can be 
interpreted as composition of L with G respectively R with C along interface I. 
In the context of this paper however it is important to consider also the graph 
G with interface J leading to G with interface J, which requires a context E 
with two interfaces J and J. Discrete interfaces, which are a special case, have 
already been used, see for instance [7]. 

3 Rewriting with Borrowed Contexts 

We are now ready for the central definition of this paper: graph rewriting with 
borrowed contexts on graphs with interfaces. The underlying idea is to allow not 
only total, but also partial matches of a left-hand side. The missing part of the 
left-hand side is then displayed as the label of the resulting transition. 

Definition 4 (Rewriting with borrowed contexts). LetV be a set of graph 
productions of the form {L I ^ R) and let J ^ G be a graph with interface. 
We say that J ^ G reduces to K ^ El with transition label {J ^ F ^ K) 
whenever there is a production {L I ^ R) G V and there are graphs D, G~^ , 
G and additional morphisms such that the following diagram commutes and the 
squares are either pushouts (PO) or pullbacks (PB) with injective morphisms. 



D >H 1 >R 



PO 


PO 


PO 









4- -J- ^ ^ 

G G+ < G H 



PB 

J >F< K 



PO 
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Symbolically this is denoted by the transition {J — >■ G) which 

is also called rewriting step with borrowed context. 

The squares in the diagram above have the following meaning: the upper 
left-hand square merges the left-hand side L and the graph G to be rewritten 
according to a partial match G ^ D — >■ L of the left-hand side in G. The 
resulting graph G^ contains a total match of L and can be rewritten as in the 
standard DPO approach, which produces the two remaining squares in the upper 
row. The pushout in the lower row gives us the borrowed (or minimal) context 
F which is missing in order to obtain a total match of L, along with a morphism 
J ^ F indicating how F should be attached to G. Finally, we need an interface 
for the resulting graph iJ, which can be obtained by “intersecting” the borrowed 
context F and the graph G via a pullback. 

The two pushout complements that are constructed in Definition 4 may not 
exist. The middle square in the upper row can only be completed if the dangling 
edge condition is satisfied, i.e., if the left-hand side L is connected to the rest of 
the graph G“*" exclusively via its interface I and no edges would be left “dangling” 
by removing it. The left square in the lower row can only be completed if there 
is a way to extend the partial match to a left-hand side L by attaching some 
context J — >■ F to J — >■ G. In other words, the dangling edge condition is required 
also for the morphism G — >■ G"*" with respect to the interface morphism J — >■ G. 

In this case the borrowed context F is minimal in the following sense: Given 
the partial match G ^ D ^ L, the pushout G~^ is the minimal graph containing 
both G and L attached according to the partial match. The borrowed context F 
is a pushout complement of the injective morphisms J ^ G ^ G+, leading to 
the injective morphisms J ^ F ^ G“*". This implies that F is the unique graph 
(up to isomorphism) that is needed to extend G to the minimal graph G"*". 

From the properties of the category of graph structures we can infer that 
all morphisms in the diagram above are injective. It is thus possible to draw a 
schematic representation of the four left-hand side squares of Definition 4 (see 
Figure 2). This figure also illustrates that the new interface K is the “union” of 
the interfaces / and J, minus the graph components that are internal in either 
G or L. 

In order to illustrate Definition 4, we regard rule [simplex] of Figure 1 and 
an example graph G consisting of two F-edges for which we find a partial match 
of the left-hand side. This results in the derivation shown in Figure 3. Note that 
the image of a node under a morphism is implicitly given by its position, i.e., 
the left-hand node is always mapped to a left-hand node, analogously for the 
right-hand node. 



4 Bisimilarity Is a Congruence 

We now arrive at the main theorem of this paper: We will show that the bisim- 
ilarity defined on labelled graph transition systems is a congruence. Before that 
we need two more definitions. 
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Fig. 2. Graphical represenation of rewriting with borrowed contexts. 




Fig. 3. Rewriting with borrowed contexts in the example graph transformation system. 



Definition 5 (Bisimulation and Bisimilarity). Let V be a set of produc- 
tions. Let TZ he a symmetric relation containing pairs of graphs with interfaces 
of the form {J ^ G, J ^ G'), also written ( J — >■ G) 7^ ( J — >■ G'). 
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The relation TZ is a bisimulation if whenever we have ( J — >■ G) 7^ ( J — >■ G') 

and a transition {J ^ G) words: J ^ G reduces to 

K ^ H with transition label J ^ F ^ K ) can he derived from V, then there 

exists a morphism K ^ H' and a transition (J — >■ G') yjith 

the same transition label J ^ F ^ K such that {K FI) TZ {K — >■ H'). 

We write {J ^ G) ^ {J ^ G') whenever there exists a bisimulation TZ that 
relates the two morphisms. The relation ~ is called bisimilarity. 

In order to state Theorem 7, we have to be able to close a bisimulation or 
simply a relation under all possible contexts. 

Definition 6 (Closure under Contextualization). Let TZ he a relation on 
graphs with interfaces as in Definition 5. By TZ we denote the closure of TZ 
under contextualization, i.e., TZ is the smallest relation that contains, for every 
pair {J ^ G,J ^ G') G TZ and for every context of the form J ^ E ^ J , 
the pair of morphisms {J ^ G,J ^ G) which results from the composition of 
J ^ G and J ^ E ^ J respectively J ^ G' and J ^ E ^ J. 

A relation 77. is a congruence, i.e., closed under contexts whenever TZ = TZ. 
Since obviously TZ is contained in TZ, it suffices to show 77 C 77. We only give a 
proof sketch, the full proof can be found in [6]. 

Theorem 7 (Bisimilarity is a Congruence). Whenever TZ is a bisimulation, 
then TZ is a bisimulation as well. This implies that the hisimilarity relation ~ is 
a congruence. 

Proof (Proof Sketch). 

Remark: In this proof we are using properties of the category of graph struc- 
tures, such as pushout complement splitting and special decomposition proper- 
ties, that do not necessarily hold in other categories (cf. the remarks at the end 
of the introduction). 

We will show that whenever 77 is a bisimulation, then ^ is a bisimulation as 
well. With the following argument we can then infer that ~ C ^ and that ~ is a 
congruence: Whenever {J ^ G) {J ^ G ), there exists a bisimulation 77 such 
that {J ^ G)'R{J ^ G'). Since, as we will show, 77 is a bisimulation, it follows 
that (J ^G) ^ (J ^ g'). 

So let 77 be a bisimulation and let {J ^ G)TZ{J ^ G ). We assume that 

(J ^ G) (K-^H). 

Our goal is to show that there exists a transition 

(J ^ G') (K -> h') 

with (77 — >■ H)iz{K — >■ 77 ), which implies that 77 is a bisimulation. In Step 1 
we will construct a transition {J ^ G) ^ which implies a 

transition (J — >• G') 77') with (77 — >• 77) 77 (77 — >• 77'), since 77 
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is a bisimulation. In Step 2 we will extend the second transition to obtain the 
transition stated in our goal above. 

Step 1: Our first assumption ( J — G) 7^ ( J — >■ G') means that there is some 
pair (J — >• G)TZ{J — >■ G') and a context J ^ E ^ J such that J ^ G and 
J ^ G can be obtained by composing J ^ G and J ^ G' with this context. 

The second assumption is the transition ( J — >■ G) jj'j which leads 

to the situation depicted in Diagram (1), where the decomposition of J — >■ G 
is shown explicitly and all morphisms are injective and all (basic) squares are 
pushouts, apart from the square K, C, F, G , which is a pullback. 




We can now split the lower pushout and the lower pullback along E (see 
Diagram (2)). 

As a next step we construct D as the pullback of G — >■ G and D ^ G, 
followed by the construction of G as the pushout of the resulting morphisms. 
In Diagram (2) we can now split the upper row of pushouts and the pushout to 
the very left, obtaining the graphs Fi, G+, G and H. We then construct F as 
the pullback of G~^ — >■ G"*" and E 2 — >■ G^ and K as pullback of the morphisms 
C ^ G and Ei — >■ G. This results in Diagram (3), with two commuting cubes 
in the middle of the diagram. 

All morphisms are injective, all squares commute and we can infer that the 
squares D, G, L, G+ and I, L, G, G+ and J, G, F, G+ and I, R, G, H are pushouts 
and the square AT, G, F, G“*" is a pullback, as in Definition 4. Hence, from Dia- 
gram (3) we can derive the following transition: 

(J^G) (K-^H), 

using the notation of Definition 4. Since 7?. is a bisimulation, this implies 

( J ^ G') (K ^ H') 

with {K — >■ H)TZ{K — >■ H'). Furthermore we can infer from Diagram (3) that 
K ^ FI can be obtained by composing K ^ F[ with the context K ^ Ei ^ K, 
since the square K, H,Ei,F[ is a pushout. 
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Step 2: We will now extend the transition from J ^ G' to K ^ H' with 
{K ^ H)TZ{K ^ H') obtained above to construct a transition from {J ^ G ) 
to {K — >■ h') with {K — >■ H) TZ {K — >■ h'). We will construct K ^ h' in such a 
way that it is the composition oi K ^ H' with the context K ^ Ei K . Recall 
also that J — >■ G is the composition of J — >■ G' and the context J ^ E ^ J. 

We now cut away the upper layer of Diagram (3) and we obtain Diagram (4) 
where all squares are pushouts, apart from the square K , F , E\, E 2 , which is a 
pullback. 




From the derivation step of J — >■ G' given earlier one can derive Diagram (5) 
for some rule L' ^ R' where the lower right-hand square is a pullback 

and all other squares are pushouts. The morphism J ^ F is split by Fi and 
therefore we can split the two left-hand side pushouts as shown in Diagram (6). 




G' > G' ^ G'+ C" 
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We compose Diagrams (4) and (6) and construct the graph g' as the pushout 
of Fi — >• G' and Fi — >• E, the graph g' as the pushout of F ^ G'~^ and 
F — >• i ?2 and the graph G as pushout of iC — >■ G' and K ^ Ei. This results in 
Diagram (7), which is identical to Diagram (3) in structure. 




In Diagram (7), the three right-hand squares in the upper row are all 

— / / + / / + 

pushouts, the square J, F, G , G is a pushout and the square K,F,G ,G 

is a pullback. 

Hence, by Definition 4 we infer that 

(J ^ G') (K h'), 

and since the square K, FE ,Ei, h' is also a pushout we can infer that K ^ Fl' 
can be obtained by composing K ^ H' and the context K ^ E\ ^ K . From 
earlier considerations we know that FT — >■ 77 is the composition oi K ^ FI with 
K ^ El <— K and hence {K — >■ F[)'JZ{K H). This means that we have 
achieved our goal stated at the beginning of the proof sketch, which implies that 
77. is a bisimulation and ~ is a congruence. 

5 Borrowed Contexts at Work: An Example 

In order to further pursue the example we will first introduce a proof technique 
simplifying bisimilarity proofs. This technique is a straightforward instance of 
an up-to technique [21]. The underlying idea behind the technique is the ob- 
servation that the relation 77 should be as small as possible, in order to obtain 
a compact proof. This goal can be reached by slightly extending the notion of 
bisimulation: We now demand that if a transition is matched by another, the pair 
of resulting graphs can be found in 77 after removal of identical contexts. Hence, 
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this extended notion of bisimulation is called “bisimulation up to context” . We 
first need an auxiliary definition. 

Definition 8 (Progression). Let TZ,S be relations eontaining pairs of graphs 
with interfaees of the form {J ^ G, J ^ G'), where TZ is symmetric. We say 
that TZ progresses to S, abbreviated by TZ ^ S, if whenever ( J — >■ G) 7^ ( J — >■ G') 

and (J — >■ G) there exists a morphism K ^ H' such that 

( J ^ G') (X ^ H') and {K^H)S{K^ H') . 

For example, TZ\s& bisimulation if and only if 7?. >— > 7?.. 

Definition 9 (Bisimulation up to Context). Let TZ be a symmetric relation 
containing pairs of graphs with interfaces of the form {J ^ G, J ^ G'). 

If TZ >-^ TZ, then TZ is called bisimulation up to context. 

We will show in Proposition 10 that every bisimulation up to context is 
contained in the bisimilarity The attractiveness of bisimulations up to context 
stems from the fact that such a relation can be much smaller than the least 
bisimulation that contains it and thus proofs can be compressed. This technique 
might even allow us to work with a finite relation instead of an infinite one. 

Proposition 10 (Bisimulation up to Context implies Bisimilarity). Let 

TZ be a bisimulation up to context. Then it holds that TZQ^. 

Proof (Proof Sketch). By carefully examining the proof of Theorem 7 again we 
can see that some simple modifications give us the following (stronger) theorem: 

If 77. ^ 5, then also TZ>^ S. 

Since 77 is a bisimulation up to context we have 77 >— > 77. The stronger version of 
Theorem 7 now implies 77 (77). Since the composition of contexts is associa- 

tive we have (77) = 77, which implies 77 ^ 77 and hence that 77 is a bisimulation, 
i.e., 77 C This implies 77 C 77 C 

Since contextualization is defined only up to isomorphism, we can assume 
that 77 is closed under isomorphism in the following sense: For every span G •<— 
J — >■ G', all isomorphic spans G ^ J — >■ G' are also contained in 77. 

Similarly, we can restrict ourselves to abstract transitions when checking for 
bisimilarity: Assume that (J — >■ G)77(J — >■ G') and there are two transitions 

( J ^ G) {K ^ H) and ( J ^ G) (77 ^ H) 

with isomorphisms from F, K, H to F, K, H respectively such that the entire 
diagram commutes (see Diagram (8)). It is sufficient to show the existence of 

a transition (J — >• G') (X — >• FT') such that (77 — >• 77)77 (77 — >• 77'). 

From this transition and Diagram (8) we can derive Diagram (9), where the 
arrows pointing upwards are isomorphisms and the diagram commutes. In such 

a situation we can infer the existence of a transition ( J — >■ G') (if — H') 
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such that H ^ K ^ H' and H ^ K ^ H' are isomorphic spans, from which it 
follows that {K — >■ H) TZ {K — >■ H'). 




We now show how to exploit this proof technique and prove that two graphs 
are bisimilar. We assume that the set V of rules depicted in Figure 1 is given 
and we consider the two graphs with interfaces of Figure 4. 



J 




5 G 




J 


o o 









o o 






s 







G' 



o- 
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Fig. 4. Two graphs with interfaces which are bisimilar. 



We consider the symmetric relation 

TZ= {{J ^ G,J ^ G'), (J ^G',J^ G)} 

and we will show that it is a bisimulation up to context. For each of the three 
rules there are several partial matches for both G and G'. Most of these matches 
are not very interesting, since the graph to be rewritten and the left-hand side 
overlap only in their interfaces, but the corresponding transitions have to be 
checked nevertheless. (We discuss possible simplifications in the conclusion.) 

In order to give a general idea, we consider only two transitions of </ — >■ G in 
detail, where both are instances of rule [simplex]. These two transitions will be 
written 

( J ^ G) (K, ^ H,), 

where i = 1,2. The graphs Fi,Ki,Hi and the corresponding morphisms are 
depicted in Figure 5. Note that we have already shown how to derive the first 
transition of J — >■ G in Figure 3 (where Fi = F, K\ = K, Hi = H). 

In order to show that 7^ is a bisimulation up to context, we have to find 
matching transitions 



( J ^ G') {K, ^ H'i) 

for t = 1, 2, such that {Ki — >• Hi) 1Z {Ki — >• H)). Such transitions can be derived 
and the graphs H) with their corresponding morphisms are also depicted in 
Figure 5. Note that the first transition is an instance of rule [duplex-1], while 
the second transition is an instance of rule [duplex-2]. 
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Fig. 5. Matching transitions of bisimilar graphs. 



Furthermore, it holds that {Ki — >• Hi)'lZ{Ki — >• i?') for i= 1,2, since these 
graphs can be obtained by composing J ^ G respectively J ^ G' with a context 
consisting of two nodes and a looping M-edge. After checking also the remaining 
transitions we can conclude (J — >■ G) ~ (</—>■ G') from Proposition 10. 

This means that in every context we can replace a duplex connection by two 
simplex connections and vice versa. Even this small example shows us that in 
order to obtain a bisimilarity result, proof techniques are needed in order to keep 
TZ finite. Otherwise we would have to deal with a relation containing infinitely 
many elements. 

6 Conclusion 

We have presented a way to derive labelled transitions and bisimulation con- 
gruences for graph transformation systems. It is our hope that this work will 
be helpful for the transfer of concepts from the world of process algebras to 
the world of graph rewriting and vice versa. We believe that having graphs as 
objects (and graph morphisms as arrows) instead of having graphs as arrows is 
useful for tracking graph components and thus enables us to easily state which 
components are associated with each other in different graphs. Hence we need 
not consider explicit names for graph components. 

We have made some investigations concerning the adaptation of the concept 
of relative pushouts for cospans of graphs. However, there are fundamental prob- 
lems, mainly caused by graphs having non-trivial automorphisms (see, e.g., the 
counterexample in [13] on pages 80/81, which can be directly transferred into 
our framework) . We believe, however, that our construction is very close in spirit 
to the notion of relative pushouts introduced by Leifer and Milner and that it 
should be possible to show the equivalence of these two notions in a suitable 
graph category with support. 
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Our results do not only hold in graph structure categories, but also in other 
categories which satisfy certain properties typical for the categories of sets and 
high-level replacement systems [4]. In this context it is also interesting to point 
out that most of the categorical properties we need hold already in adhesive 
categories [12]. 

In the future we also plan to address the following two questions: How should 
weak bisimilarity be defined and is it a congruence? Do our results still hold if 
we allow for non-injective morphisms? Furthermore we plan to introduce more 
proof techniques in order to simplify bisimulation proofs. One such technique 
is clearly suggested by the example in Section 5. Whenever a graph and a left- 
hand side overlap only in their interfaces, another graph with the same interface 
will certainly be able to match the corresponding rewriting step with borrowed 
context, since this step only changes the interface itself. Hence it should be 
possible to remove some superfluous transitions without changing the underlying 
bisimilarity. 

Another interesting question would be to find out which bisimulation congru- 
ences are produced by the various encodings of 7r-calculus into graph rewriting 
and to see in what way they are related to existing congruences for this calculus. 
It also remains to determine in what way our bisimilarity is related to dynamic 
bisimulation as presented in [1,18]. 
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Abstract. We show that the standard normalization- by-evaluation con- 
struction for the simply-typed A/ 3 ,,-calculus has a natural counterpart for 
the untyped A/ 3 -calculus, with the central type-indexed logical relation re- 
placed by a “recursively defined” invariant relation, in the style of Pitts. 
In fact, the construction can be seen as generalizing a computational- 
adequacy argument for an untyped, call-by-name language to normal- 
ization instead of evaluation. 

In the untyped setting, not all terms have normal forms, so the normal- 
ization function is necessarily partial. We establish its correctness in the 
senses of soundness (the output term, if any, is /3-equivalent to the input 
term); standardization (/3-equivalent terms are mapped to the same re- 
sult); and completeness (the function is defined for all terms that do have 
normal forms). We also show how the semantic construction enables a 
simple yet formal correctness proof for the normalization algorithm, ex- 
pressed as a functional program in an ML-like call-by-value language. 



1 Introduction 

1.1 Reduction-Based and Reduction-Free Normalization 

Traditional accounts of term normalization are based on a directed notion of 
reduction (such as /3-reduction), which can be applied anywhere within a term. 
A term is said to be a normal form if no reductions can be performed on it. 
If the reduction relation is confluent, normal forms are uniquely determined, so 
normalization is a (potentially partial) function on terms. Some terms (such as 
12) may not have normal forms at all; or a particular reduction strategy (such as 
normal-order reduction) may be required to guarantee arrival at a normal form 
when one exists; such a strategy is called complete. There is a very large body 
of work dealing with normalization in reduction-based settings. 

However, in recent years, a rather different notion of normalization has 
emerged, so-called reduction-free normalization. As the name suggests, it is not 
based on a directed notion of reduction, but rather on an undirected notion of 

* A version of this article with detailed proofs is available as a technical report [5]. 
*** Basic Research in Computer Science (www.brics.dk), 
funded by the Danish National Research Foundation. 
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term equivalence. Equivalence may be defined as simply the refiexive-transitive- 
symmetric closure of an existing reduction relation, but it does not have to be: 
any congruence relation on terms may be used. The task of normalization is 
then to define a normalization function on terms, such that the output of the 
function is equivalent to the input, and such that any two equivalent terms are 
mapped to identical outputs [3]. 

For some notions of equivalence (such as /3-convertibility of untyped lambda- 
terms), it is actually impossible to define a computable, total normalization func- 
tion with both of these properties; we must thus accept that the normalization 
function may be partial. However, even in that case, we can impose a complete- 
ness constraint: if we have an independent syntactic characterization of accept- 
able normal forms, we can require that the function both produce terms in this 
form as output, and that it be defined on all terms equivalent to a normal form. 



1.2 Normalization by Evaluation 

A particularly natural way of obtaining a reduction-free normalization function 
is known as normalization by evaluation (NBE), based on the following idea: 
Suppose we can construct a denotational model of the term syntax (i.e., such 
that equivalent terms have the same denotation), with the property that a syn- 
tactic representation of the term (up to equivalence) can be be extracted from 
its denotation; such a model is called residualizing. Then the normalization func- 
tion can be expressed simply as a (compositional) interpretation in the model, 
followed by extraction. 

A priori, such a normalization function is not necessarily effectively com- 
putable. It can be given a computational interpretation if the denotational model 
is constructed in intuitionistic set theory [3] , but this gets somewhat complicated 
for domain-theoretic models, especially those involving reflexive domains. In such 
cases, it is often easier to establish that the constructions are effective by showing 
that they can expressed as images of program terms in a language for which the 
domain-theoretic semantics is already known to be computationally adequate. 

(It should be noted that the term NBE is also sometimes used for a related 
concept, based on reducing - usually in a compositional way - the normalization 
problem, which may in general involve open terms of higher type, to an evalu- 
ation problem, which involves normalization of only closed terms of base type. 
The required transformation is often syntactically related to the model-based 
construction above, but the model itself is not made explicit; and in fact, the 
subsequent evaluation process may still be specified entirely in terms of reduc- 
tions.) 



1.3 The Berger- Schwichtenberg Normalization Algorithm 

Perhaps the best-known NBE algorithm is due to Berger and Schwichtenberg 
[2]. It finds /dry-long normal forms of simply-typed A-terms. We present here its 
outline, glossing over inessential details. 
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Types are of the form t ::= b \ ti — >■ T 2 . A natural set-theoretic model in- 
terprets each base type b as some set, and the function type as the set of all 
functions between the interpretations of the types, i.e., |ti — >■ T 2 ] = |ti] — >■ |t 2 ]. 
For a type assignment F, we also take |F] = Oxedomr 

Let A be the set of syntactic A-terms (written with explicit constructors for 
emphasis) over a set of variables V. For a well-typed term F h m : t, we can 
then express its semantics |m] G |F] — |r] as follows: 

|VAR(x)]p = p(x) 

|LAM(a:'^, mo)] p = |mo] p[x 1 — a] 

|APP(mi,m 2 )|p = |mi|p(|m 2 |p) 

It is easy to check that such a model is sound for conversion, i.e., that when 
m e^/ 3 r/ Tn' , then |m| = |m']. 

Consider now a model where all base types are interpreted as the set of 
(open) syntactic A-terms, i.e., |6] = A for all b. In this model, we can define a 
pair of type-indexed function families: reification, : |r| — >■ A, and reflection, 
t’' : A— |r|, by mutual induction on types: 

iU = I 

j _ LAM(a;'^b4,^^ (/(t’"^ VAR(x)))) (where x is chosen “fresh”) 

fl = l 

^ (APP(Z,;”^a)) 

For simplicity, let us only consider normal forms of closed terms. Then reification 
can serve directly as an extraction function: one can check that, for a term h m : r 
in /^ry-long normal form, (|m| 0) gGq, m. Hence, by soundness of the model, 
for any term m' with m' rn, (|m'| 0) = (|m| 0) gGq m iti'. 

Alternatively, one can show the latter property directly, for an arbitrary m' . 
Either way, the typical proof ultimately involves a logical-relations argument, 
even if this argument is pushed entirely into a standard result about the syntax 
(namely, that every well-typed term has a /3p-long normal form). The latter 
approach, however, generalizes better, especially to systems where not all terms 
have normal forms. 

1.4 A Tentative Algorithm for Untyped Terms 

In an untyped (or, more accurately, unityped) setting, we may hope to get a 
residualizing model by interpreting the single type of terms as a domain D = 
A+ {D ^ D). (Again, we gloss over domain-theoretic subtleties for expository 
purposes.) We can then define variants of reification, I : D ^ A, and reflection, 
t : A — >■ U, roughly analogous to the simply-typed case: 

I n — (j of / ^ 

case a or ^ LAM(x,; (/(t VAR(x)))) (x “fresh”) 

= ini{l) 
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Note that reification is now defined by general recursion, rather than induction. 
We can also construct an interpretation, |m] G {V ^ D) ^ D, by 

|VAR(a;)lp = p{x) 

|LAM(a;, toq)] p = in 2 (Xd. |too] p[x i— d]) 

[APP(mi,m 2 )lp = case M d of 

Here, reflection is performed “on demand”: when application needs a semantic 
function, but |mi]p is a piece of syntax, it is reflected just enough to allow the 
application to be performed. 

Again, it can be checked that /3-convertible terms have the same denotation. 
It is also fairly easy to verify that, for a closed m in /3-normal form, I (|m] 0) Oq 
m. What is not obvious at all, however, is that when j, (|m'] 0) = m for a general 
m' , then m' must be syntactically /3-convertible to a normal form. Indeed, the 
problem is a generalization of the usual computational-adequacy problem for a 
denotational semantics of a functional language: if the denotation of a closed 
term is not _L, must the term then evaluate to a value? 

For a simply typed language, PCF, adequacy of the natural domain-theoretic 
semantics was shown by Plotkin, using a logical-relations argument [8]. Pitts 
showed that essentially the same argument applies to an untyped language, 
except that the central relation is no longer constructed by induction on types, 
but as a solution of a more general “relation equation” ; he also showed a general 
method for solving such equations, yielding invariant relations [6]. 

In this paper, we first formalize the construction of the normalization func- 
tion from above, addressing especially the issues of potential divergence and 
generation of fresh variable names (Section 2). We then show correctness of this 
function by a generalized computational-adequacy construction (Section 3). Fi- 
nally, we show how the domain-theoretic analysis directly validates a functional 
program implementing the construction (Section 4). 

1.5 Related Work 

The closest related work to ours is probably the NBE-based (in the alternate 
sense) algorithm for untyped /3-normalization proposed by Aehlig and Joachim- 
ski [1]. However, while the functional programs ultimately derived from the anal- 
yses are quite similar, the correctness arguments are completely different: theirs 
are based entirely on syntactic concepts and results from higher-order rewrit- 
ing theory, rather than on the domain-theoretic constructions underlying ours. 
In particular, their algorithm is very explicitly reduction-based, departing from 
the original meaning of NBE as term extraction from a denotational model of a 
conversion relation. 

We believe that the domain-theoretic approach enables a more direct and 
precise correctness proof for the normalizer, as actually implemented. In Aehlig 
and Joachimski’s work, the abstract algorithm is expressed as a small-step op- 
erational semantics for a specialized, two-level A-calculus with named bound 
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variables; yet the actual normalization program is expressed as a compositional 
interpreter in Haskell, using de Bruijn indices for bound variables, and a reflexive 
type for the meanings of higher-typed terms. No connection is made to a formal 
semantics (operational or otherwise) of the relevant Haskell fragment. While it 
may well be possible to formally close this gap, it remains as a potentially major 
undertaking. On the other hand, formally relating the domain-theoretic con- 
structions in the model-based normalizer to the functional terms implementing 
them is completely straightforward. We expect, but have not formally investi- 
gated, that Aehlig and Joachimski’s interesting extensions of the basic algorithm 
to infinite normal forms (Bohm trees) could also be expressed naturally in the 
denotational setting, and be used to validate a functional program producing 
such normal forms lazily. 

Many of the constructions in the present paper are inspired by the first 
author’s work on type-directed partial evaluation [4]. Apart from the obvious 
differences arising from typed vs. untyped languages, a significant change is 
also that the TDPE work considered equivalence defined semantically (equality 
of denotations for all interpretations of “dynamic” constants), while here we 
consider syntactic /^-convertibility. Accordingly, the central invariant relation ties 
denotations to syntactic terms, rather than to denotations in another semantics. 

Essentially the same program as in Section 4, but expressed in FreshML, 
can be found in a recent paper by Shinwell et al. [9, Figure 7]. However, the 
focus there is on a practical application of fresh-name generation, rather than 
on normalization as such. Indeed, the underlying algorithm is only informally at- 
tributed to Coquand, and carries no formal correctness argument. In the present 
work, generation of fresh names is handled explicitly: since constructed out- 
put terms are never subsequently analyzed, using a general framework such as 
FreshML, or higher-order abstract syntax, is probably overkill. However, we an- 
ticipate that a different “back end” for output generation could be used, and have 
deliberately tried to keep the constructions and proofs modular with respect to 
the term-generation operations. We thus expect that essentially the same argu- 
ments - perhaps even a little simplified - could be used to verify correctness of 
the FreshML variant of the normalizer as well. 

2 A Semantic Normalization Construction 

2.1 Syntax and Semantics of the Untyped A-Calculus 

Syntax. Let U be a countably infinite set of (object) variables, with x and v 
ranging over V . Let A be the set of A-terms defined by 

m ::= VAR(x) | LAM(x,too) | APP(mi,m 2 ) 

The set of free variables of a term, FV{m), is defined in the usual way. For any 
finite set of variables A, we write for the set of A-terms over A, i.e., 

A^ = {m G A I FV{m) C A} 
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Substitutions. For technical reasons, we take simultaneous (as opposed to single- 
variable), capture-avoiding substitution as the basic concept. Accordingly, we say 
that a substitution 0 is a finite partial function from variables to terms. We take 
FV (9) = Uaedom 9 (^(*))) define the action of 0 on a term m in the usual 

way, by structural induction on m: 

VAR(x)[0] = ^ 

' ( VAR(x) otherwise 

LAM (a;, mo) [ 6 *] = LAM(a;', mo[ 6 *[x i— VAR(x')]]) 

where x' ^ FV{6) U (FR(mo)\{x}) 

APP(mi,m 2 )[ 6 *] = APP(mi[0], m 2 [ 6 *]) 

As a special case, we use the standard notation m[m'/a;] to mean m[ [x i— m'] ]. 
To keep the substitution operation deterministic, we assume that the x' in the 
LAM-clause is picked as some fixed but arbitrary function of the (finite) set of 
variables it needs to avoid. 

Conversion and normalization. We define convertibility between A-terms, writ- 
ten m O m', by the axiom schemas for a- and /3-conversion, 

LAM(a:,m) O IjPCA{x ,m[x /x\) {x ^ FV {m)\{x}) 
APP(LAM(x, m), m') O m[m! /x] 

together with the standard equivalence and compatibility rules, making o into 
a congruence relation on terms. 

We further define atomic (also known as neutral) and normal forms, as follows: 

bat mi Fnf m2 bat m bnf mp 

bat VAR(a;) bat APP(mi, m 2 ) b„f m bnf LAM(a;, mo) 

We then expect a normalization function on terms to satisfy that the output, 
if any, is in normal form and convertible to the input (soundness); convertible 
terms either give the same output, or neither one does (standardization); and 
if a term has a normal form at all, the normalization function will return one 
(completeness). 

Semantics. A natural way of defining a denotational model of convertibility is 
in terms of a reflexive pointed cpo D. Reflexivity means that the continuous- 
function space [D^D] is a retract of D, i.e., that there exist continuous functions 

(j) : [D ^ D] ^ D and ip : D ^ [D ^ D] , 

such that Ip o (p = id[D^D]- The induced interpretation, |m] G [[V — >■ 13] — >■ D], 
is then: 



[VAR(a:)]p 
|LAM(a;,mo)] p 
|APP(mi,m 2 )l p 



p{x) 

(p{Xd° . |mo] p[x d]) 

V’(Iwilp) ([mslp) 
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Lemma 1. The interpretation has two expectable properties: 

a. If\/x€ FV{m).p{x) = p'{x), then |m] p = |m]p'. 

b. Let 6 = mi, . . . ,x„e^ m„] be a substitution. 

Then |m[0]] p = |m] p[xi |mi] p, . . . , |m„] p]. 

Proof. Part (a) is a straightforward induction on the structure of m. Part (b) 
follows by induction on the structure of m, using part (a) in the LAM-case. 

Lemma 2 (model soundness). If m ^ m' then |m] = |m'] 

Proof. By induction on the derivation of m O m', using Lemma 1 for a- and 
/3-conversion, and using that if o <f> = id[o^D] for /3-conversion. 

2.2 Output- Term Generation 

We want to account rigorously for the generation of fresh names, and do so in 
a modular manner. We will therefore construct a set A (dependent on the name 
generation scheme) with elements denoted by I, together with wrapper functions, 

: V ^ A, LAM : [V ^ A] ^ A, APP : Ax A^ A 

where, in particular, LAM provides a fresh name to be used in constructing the 
body of the A-abstraction. 

Let Af be a set (discrete cpo) containing at least the natural numbers, with 
an operation • -|- 1 : Af — f Af, agreeing with the successor operation on naturals. 
Let {go,gi,...} be a countably infinite subset of V, such that gi = gj implies 
i = j, and let gen : A/” — f U be such that gen{n) = g„ when n G N. 

We write [-J for the inclusion from A to A±; and for / : A ^ B with B 
pointed, we write ■ * f for /’s strict extension to A±, i.e., -L * / = J-s and 
[aj * / = fa. We then take A = [Af — f Aj_] and define wrapper functions for 
constructing A-terms using de Bruijn-level (not -index!) naming as follows: 

VAR{v) = An-^. LVAR(v)J 

LAM(/) = An"^. / pen(n) (n -I- 1) * Amg . [LAM(pen(n), mo)J 
APP(/i,? 2) = An"^. n * Am)^. ?2 ^ * Ato 2 • LAPP(wi, TO2)J 

Note 1. If we took freshness as a primitive concept, like in FreshML, we could 
simply use A = A±; VAR(r)) = [VAR(u)J; LAM(/) = f xxXmo. [LAM(x, TOg)J, 
with X fresh for /; and APP (hjh) = h * Ami ■ h * Am 2 . [APP (mi , m 2 ) J . 

2.3 A Residualizing Model 

From standard domain-theoretic results (e.g., [6]), we know that there exists a 
pointed cpo D^, together with an isomorphism 

i ■. Dr ^ {A+[Dr ^ Dr])x 
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Moreover, this solution is a so-called minimal invariant, which we will need 
in the next section. 

We first define the reification function \ A ^ and reflection function 
i ■. Dr ^ A, as follows: 

( \in\{l)\ — >■ I 

id = casei(d) of L*« 2 (/)J ^ LAM(Ax^. i (/(t \^(x)))) 
il = ^-l(L^nl(0J) 

where the recursive definition of i is interpreted in the usual least-fixed-point 
sense. Using these, we construct appropriate functions (j)r ■ [Dr Dr] Dr and 
ijr : Dr — y ^ 

</>r(/) = i~H[in 2 {f)\) 

( [ini{l)\ ^ Ad''°’-.tAPP(l,;d') 
tpr{d) = case i{d) of < [zn 2 (/)J -)> / 

I -^[Dr^Dr] 

Clearly, we have that %pr ° <Pr = id[Dr^Dr]t since i was an isomorphism. The 
induced interpretation is denoted by |-]r. We can now define a putative normal- 
ization function: 

Definition 1. For any A, let ^A = max({n-|- 1 | gn G Z\}U{0}) (i.e., the least 
n such that 'in' > n.gn' ^ A). We then define the function norm^i : A'^ — >■ A± 
by 

norm/i(TO) = (|m]r (Ax^. t VAR(x))) jJZi 

In particular, when A is disjoint from the set of gi-names (so jlZ\ = 0^, we write 
just norm for norm/i . 

3 Correctness of the Construction 

3.1 Correctness of the Wrappers 

Let s G {at,nf} be a syntactic-form designator. We first define a quaternary 
relation, I m, expressing that if I represents a term at all, then that term 
only has free variables in A, is of the syntactic form s, and is convertible to m: 

Definition 2. For I G A and m G A-^, we then define the relation ^ by 

^ *if Vn > jlZ\, m' G A.ln= [m'J =k m' G A\~s m' Am' GG m 

Lemma 3. For fixed A, s, and m, the predicate P = {I \ I m} is pointed 
(i.e., G P) and inclusive (i.e., closed under limits of uj-chains). 

Proof. Straightforward, noting that ^ is expressed using intersection, inverse 
image, and a (necessarily inclusive) predicate on the flat domain A±. 
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Lemma 4. The representation relation is closed under weakening and conver- 
sion: 

a. If I m and A C A', then also I m. 

^ ™ ^ ^ then also I m' . 

Proof. Both parts are immediate from the definition. 

Lemma 5. Representations of terms behave much like the terms themselves: 
a. If v G A then VAR(t!) VAR(r!). 

b- hf l\ mi and I2 m2, then APP(?i,^2) APP(mi,m2). 
c- hf t m, then also I m. 

d. Let f G [V ^ A] and m G ^ ^ A.fv m[VAR(i;)/x], 

then LAM(/) LAM(a;,m). 

Proof. All parts are relatively straightforward, (b) and (d) exploit that O is 
a congruence relation. For (d), the assumption about m’s free variables is also 
essential. 



3.2 Adequacy of the Residualizing Model 

To construct the central relation between denotations and terms, we first state 
an abstract version of a result due to Pitts [6] : 

Theorem 1 (existence of invariant relations). Let A he a cpo, and let i : 

D ^ {A [D ^ D])± be a minimal-invariant solution of the domain equation 
A = (A + [A — >■ A])j_. Let T be a set, and let predicates P\ Q A x T , P2 Q T , 
and P3 CTxTxT be given, such that {a | P\{a, t)} is inclusive for every t G T. 
Then there exists a relation <i C D x T , with {d | d <1 t} inclusive for every 
t G T, and such that, for all d G D and t G T: 

d <t iff i{d) = _L 

or 3 a. i{d) = [mi(a)J A P\{a, f) 
or 3 f. i\d) = Lm2(/)J A P2{f) A 

Vd' G D- 1', t" G T. Psit, t', t") Ad' <\t' ^ f{d') <\ t" . 

Proof. The proof proceeds exactly as in Pitts’s paper, with the following minor 
refinements: First, the cpo A can be arbitrary (not necessarily discrete), as long 
as the relation Pi is inclusive. Also, when P2 is an existential proposition, the 
witness need not be unique (such as the result of a deterministic evaluation), as 
long as the choice of witness does not affect P3. 



We can then establish the existence of a Kripke-style invariant relation, using 
sets of variables as worlds: 
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Lemma 6. There exists a relation ^ such that for all A, d G Dr and m G 

d m iff i{d) = _L 

or 31. i{d) = [ini (/)J A I m 

or 3f. i{d) = [zn2(/)J A (3x GV,moG mo) o to) 

A VZ\' A A,d' G Dr, to' G , TOi G A^ . 

TO GG TOI A d' to' =J> f{d') APP(toi, to') 

Proof. By Theorem 1, taking A = A and T = {{A,m) \ A V Am G A"^}, 
with the predicates chosen as 

Pi = {{l,{A,m)) I I m} 

P 2 = {{A,m) I 3x G P, Too G T"^^^^^.LAM(a;, toq) gg to} 

P3 = {{{A,m),{A',m'),{A",m"))\ 

A C A' = A" A 3toi G A^ .to gg TOi a to" = APP(toi, to')} 

using the equivalence [yx.{3y.P{x,y)) =k Q{x)\ GG \ixiiy.P{x,y) =k Q{x)\. P\ 
is inclusive in its first argument by Lemma 3. We write d m instead of 
d <1 {A,m). 

Lemma 7. The relation < shares two key properties with 

V d TO and A C A' , then also d to. 

b- If d TO and to' G A‘^ with m gg to', then also d to'. 

Proof. Both parts are straightforward, given Lemma 4, and noting the transi- 
tivity of C and GG. 

The following two lemmas will combine to establish adequacy of our semantics: 
Lemma 8. For all I G A, d G Dr, and m G A^, 

If ^ ^den 1 1 TO 

b- If d TO then } d to 

Proof. Part (a) follows immediately from the definition of f • Part (b) exploits 
}’s definition as a least fixed point and proceeds by fixed-point induction on the 
pointed and inclusive (by Lemma 3) predicate 

R= {ip G [Dr -A A] I Vd, A,m G A^ .d m ip{d) to} 

The verification uses the properties of T-representations (Lemma 5(a,c,d)), and 
that both ^ and < are closed under conversion (Lemmas 4(b) and 7(b)). 

Lemma 9. Let m G A^ , and for all x G P, let 9{x) G A"^ (in particular, 
r C domd}. IfWx G P. p{x) 9{x) then \m\r P m[9]. 

Proof. By structural induction on to. The case for variables is immediate. For 
abstractions, like in a standard Kripke-logical-relations proof, monotonicity of ^ 
(Lemma 7(a)) ensures that the environment and substitution remain related in 
the later world A'; also, closure under conversion (Lemma 7(b)) in particular im- 
plies closure under /3-expansion. Both parts of Lemma 8, as well as Lemma 5(b), 
are used in the non-standard case for applications. 
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3.3 Correctness of the Normalization Function 

Definition 3. The predicate tot(-) C A is given by tot{l) Vn G N. / n _L. 

Lemma 10. The following properties hold of the wrapper functions: 

a. For all v GV, tot(VAR(ti)). 

b. If for all V gV . tot(/w) then tot(LAM(/)). 

c. Iftot{li) andtot{l 2 ) </ien tot(APP(?i, ?2))- 
Proof. Straightforward verification in each case. 

Lemma 11. For all m G A and p G [V ^ Dr] such that for all x G FV(m), 
there exists an I with p{x) = f I and tot(^), 

a- If l“at rn then 31 G A. [m\r P = fll\ tot{l). 
b. d/hnf m then tot(4, (|m]rp))- 

Proof. By simultaneous rule induction on hat • and h„f •, relying on Lemma 10 
for the totality properties of the wrappers. 

Theorem 2 (semantic correctness), norm^i from Definition 1 is a normal- 
ization function on A^ , i.e., 

a. (soundness) If normA{m) = [m'J then m' G A^, h„t m' , and m gg m' . 

b. (standardization) If m gg m' then norm/i(m) = norm.A{m'). 

c. (completeness) If m gg m' with hnf m' then normal (m) yf A. 

Proof. (Soundness) Let 9q be the substitution mapping every x in A to VAR(x), 
and po = Ax'^. t VAR(x). By Lemma 5(a), for every x G A, VAR(x) 
VAR(x) = 9q{x), and hence by Lemma 8(a), po{x) 9 q(x). By Lemma 9, 
we then get that |m]rPo ^ and therefore, by Lemma 8(b), 

i([nr]rPo) nr. Assume now that norm/i(TO) = [m'J. Taking n = jJA in 
Definition 2, we can then immediately read off that m' has the required proper- 
ties. 

(Standardization) This follows directly from model soundness (Lemma 2), 
since the residualizing model is indeed a model. 

(Completeness) Using Lemma 10(a), we see that po satisfies the condition 
on p in Lemma 11. Hence, by part (b) of the latter lemma and Definition 3, 
norm/i(m') yf A. The desired result then follows from (standardization). 

4 An Implementation of the Construction 

4.1 Syntax and Semantics of an ML-Like Call-by- Value Language 

The language is a small fragment of Standard ML where, to sidestep inessential 
bookkeeping, we have hard-coded the inductive representation of A-terms, 

datatype term = VAR of string I LAM of string*term I APP of term*term 

as an additional base type of the language, and simply taken the value sets 
underlying string and term to be the sets V and A, respectively. 




178 



A. Filinski and H.K. Rohde 



Syntax. The fragment is restricted to a single recursive datatype declaration, 
datatype dt = Irii of I ••• I Ini^ of 
where types are given by the grammar 

r ::= unit | int | bool | string | term | ti -> T2 | dt 
The syntax of ML expressions is then 

e ::= a; | n | "u" | 0 | ei + 62 | ei = 62 | "g" ~Int . toString e | 

fn 0 => e I fn X => e I ei 62 | VAR(e) | LAM(ei,e2) | APP(ei,e2) | 

case e of VAR x± => ei I LAM(x2,X2) => 62 I APPCxa.x^) => 63 | 
lUiie) I case e of Jrii Xi => Ci I ••• I Xk => &k \ 
if Cl then 62 else 63 | let fun / = Ci in 62 end 

where x and / range over ML variable names. 

Typing. We only consider well-typed ML expressions, as captured by the judge- 
ment xi'.Ti, ...,Xn'.Tn h 6 : T, asserting that e is of type r, with free variables 

xi, ...,x„ of types ti, It is defined in the usual way by inference rules. 

Operational semantics. A complete program is a closed expression of type ti->T 2, 
where ti and T2 are ground types (i.e., not containing -> or dt). For such types, 
let Cr denote the set of canonical values underlying t, e.g., = Z. 

For a complete program e : Ti -> T2, we can construct a computable partial 
function rune : ^ e.g., by 

rune(ci) = C2 iff (e JJ- C2. 

where JJ. is the usual big-step operational semantics of expressions, and c denotes 
the syntactic representation of the value c. 

Denotational Semantics. For the meaning of ML types, we take 

|unit]“‘ = ! = {*} |int]“^ = Z [bool]™! = B |string]“i = V 

Itermr^ = A [n -> T2r' = [[ri]-' ^ 1x2^'] ^*1“’ = ^ 

where is ■ S |r^]™* -P • • • -P is a minimal-invariant solution to the 

evident predomain equation. We write iui : — >■ -P • • • -P for 

the injection functions. 

The meaning of ML terms is defined by induction on the typing derivation; 
for conciseness we write only the terms. The semantics is structured such that 
if T h e : r and for all (x : t') G T, ^(x) G then G |r]™^ In 

particular, the semantics of df-constructors and recursive function definitions 
are given by: 

|let fun / (x:ti):t 2 = ei in 62 end]™*^ = 

Nr’ ^ [/ ^ fix(A6»«^ir‘^t^2l V 1 .lei]""! 6>, x a])] 
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For notational convenience in the following, we will assume that all function 
names / in the program are distinct. We can then unambiguously use 0f to refer 
to the semantic function whose fixed point / is mapped to in the environment 
of the let-body, and Of = fix(6>/). 

Theorem 3 (computational adequacy for ML). For a complete ML pro- 
gram e, rurie{ci) = C 2 iff |e]“^ 0 * A/, /(ci) = [C 2 J . 

Proof. Modulo trivial syntactic differences, and an equivalent formulation of the 
semantics in terms of strict functions between pointed epos, rather than general 
ones between epos, this is shown in, e.g., [7, Section 5]. The primary difficulty is, 
of course, the definition of the logical relation at type dt, which is again achieved 
by exploiting the minimal-invariant property of S. 

4.2 The Normalization Algorithm 

The concrete representation of the normalization algorithm, with many of the 
auxiliary definitions inlined, is shown in Fig. 1. We have instantiated dt as the 
type sem, with two constructors Ini = TM and Iu 2 = FUN. It is easy to check 
that the top-level expression, NORM : term -> term, is a well-typed complete 
program in our sense. 

Since ML is a call-by-value language, we must simulate the implicit call- 
by-name nature of the residualizing semantics using thunking. We have defined 
sem so that |sem]™^ = Dr', then semantic functions with codomain Dr can be 
represented directly as ML functions into sem, while functions with domain Dr 
are represented with source type unit -> sem. As a further optimization, the 
strict function f : Dr — >■ 4 is represented as simply a function from sem. 

Let us now properly relate the abstract and concrete constructions. To get a 
perfect isomorphism between term families and their implementation, we choose 
Af = Z, with gen{n) = "gn", e.g., gen(13) = "gl3". Let io denote the iso- 
morphism i : Dr ^ ([Z — >■ A±] [Dr — >■ Dr])± from before. We now also have 
is : S + [[1 ^ Si_] ^ Si_]. 

Lemma 12. There exists an isomorphism ios ■ Dr S±, satisfying 

a. For all I G A, iDs{i~D^{[ini{l)\)) = [ig^{ini{l))\. 

b. For all f G [Dr — >■ Dr], 

iDs{iD^ilin2{f)\)) = lis^(in2{Xff^^^. iDsifiiolit *)))))]. 

c- iDsiio^i-XDr)) = J-Sj_ 

Proof. The strict functions {iosAf^s) constructed in the natural way by 
mutual recursion. That they are actually inverses, and satisfy equations (a) and 
(b), follows from the minimal-invariant properties of Dr and S. 

We can also state three lemmas, relating the central domain-theoretic func- 
tions to the denotations of their syntactic counterparts: 

Lemma 13. For all d & Dr and n G Z, fdn = iosid) * As"®. 0down s * Xl^. I n. 
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datatype term = VAR of string I LAM of string*term I APP of term*term 
datatype sem = TM of int -> term I FUN of (unit -> sem) -> sem; 

let fun down (s : sem) : int->term = fn n => 

(case s of 

TM 1 => 1 n 

I FUN f => LAM("g"~Int.toString n, 

down (f (fn () => TM(fn n’ => VAR("g" “Int . toString n) ) ) ) (n+1))) 
in let fun eval (m:term) : (string->sem)->sem = fn p => 

(case m of 

VAR X => p X 

I LAM(x,mO) => FUN(fn d => eval mO 

(fn x’ => if X = x’ then d () else p x’)) 

I APP (ml, m2) => (case (eval ml p) of 

TM 1 => TM(fn n => APP(1 n,down (eval m2 p) n) ) 
I FUN f => f (fn 0 => eval m2 p))) 
in let fun norm (m:term) :term = 

down (eval m (fn x => TM(fn n => VAR(x)))) 0 
in norm end end end 

Fig. 1. The normalization algorithm, NORM , in a fragment of ML 

Lemma 14. For all m £ A, p G [V ^ Dr], and ^ G [F — >■ S'j_], such that 
Mx G FV{m).iDs{p{x)) = C,{x), iDs{lm\r p) = 0eva.im* Xg. g 

Lemma 15. For all m £ A, norm(m) = 0norm "m. 

Proof. Follows easily from the definition of 0norm, using Lemmas 12, 13 and 14. 

Theorem 4 (implementation correctness). The program NORM satisfies 
that rmipfORMi'm) = m' norm(m) = [m'J . That is, NORM computes the 
normalization function for all X-terms without free occurrences of gn-variables 
(including, in particular, all closed terms). 

Proof. A direct consequence of Lemma 15 and Theorem 3. 



5 Conclusions and Perspectives 

We have presented a domain-theoretic analysis of a normalization-by-evaluation 
construction for untyped A-terms. Compared to the typed case, the main differ- 
ence is a change from induction on types to general recursion, both for function 
definitions and for the domains and relations on them. That the correctness proof 
has a generalized computational-adequacy result at its core, further strengthens 
the connection between normalization and evaluation. Moreover, the algorithmic 
content of the construction corresponds very directly to a simple functional pro- 
gram, enabling a precise verification of the normalizer as actually implemented. 
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There are several possible directions in which to extend the present work. 
Some were already mentioned in Section 1.5, such as generalizations of the al- 
gorithm to Bohm trees. It should also be possible to extend the language and 
notion of normalization with interpreted constants in a suitable sense. But al- 
ready the current results indicate that the fundamental ideas of NBE are not 
incompatible with general recursive types. Thus, reduction- free normalization 
may provide a complementary view of other equational systems that are cur- 
rently analyzed using exclusively reduction-based methods. It might even be 
possible to find unified formulations of rewriting-theoretic and model-theoretic 
normalization results about particular such systems. 



Acknowledgment. The authors wish to thank Olivier Danvy and the FOS- 
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Abstract. We prove that if a finite alphabet of actions contains at least 
two elements, then the equational theory for the process algebra BCCSP 
modulo any semantics no coarser than readiness equivalence and no finer 
than possible worlds equivalence does not have a finite basis. This seman- 
tic range includes ready trace equivalence. 



1 Introduction 

Labeled transition systems constitute a fundamental model of concurrent com- 
putation which is widely used in light of its flexibility and applicability. They 
model processes by explicitly describing their states and their transitions from 
state to state, together with the actions that produce them. Several notions 
of behavioral equivalence have been proposed, with the aim to identify those 
states of labeled transition systems that afford the same observations. The lack 
of consensus on what constitutes an appropriate notion of observable behav- 
ior for reactive systems has led to a large number of proposals for behavioral 
equivalences for concurrent processes. 

Van Glabbeek [8] presented the linear time - branching time spectrum of 
behavioral equivalences for finitely branching, concrete, sequential processes. In 
this paper we focus on three equivalence relations in this spectrum. Readiness 
semantics [22,27] distinguishes a process by its finite traces, where each finite 
trace is decorated with the set of initial actions at its ultimate state. In ready 
trace semantics [4,26], each finite trace is decorated with the set of initial actions 
at all its states. Possible worlds semantics [28] distinguishes a process by the 
deterministic processes that can be “ready simulated” by the original process. 
In a ready simulation, the sets of initial actions at a simulated and its simulating 
state must always be the same. Readiness semantics is coarser than ready trace 
semantics (meaning that it distinguishes fewer processes), which in turn is coarser 
than possible worlds semantics. Other semantics in the spectrum are based on 
(bi)simulation, failures, failure traces, and (completed) traces. Figure 1 depicts 
the linear time - branching time spectrum, where a directed edge from one 
equivalence to another means that the source of the edge is finer than the target. 
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bisimulation 
2-nested simulation 




Van Glabbeek [8] studied the semantics in his spectrum in the setting of the 
process algebra BCCSP, which contains only basic process algebraic operators 
from CCS and CSP, but is sufficiently powerful to express all finite synchroniza- 
tion trees. Van Clabbeek gave (sound and complete) axiomatizations for seman- 
tics in the spectrum, meaning that two closed BCCSP terms can be equated if 
and only if they are equivalent. 

An axiomatization E is uj-complete when an equation can be derived from E 
if (and only if) all its closed instantiations can be derived from E. In applica- 
tions dealing with theorem proving, w-completeness of the underlying equational 
theory often facilitates the production of equational derivations; see [13]. In [11] 
it was argued that w-completeness is desirable for the partial evaluation of pro- 
grams. 

In universal algebra, w-completeness is referred to as a basis for the equa- 
tional theory. The existence of finite bases for algebras is a classic topic of study 
in universal algebra (see, e.g., [16]), dating back to Lyndon [14]. Murskii [21] 
proved that “almost all” finite algebras (namely all quasi-primal ones) are finitely 
based, while in [20] he presented an example of a three-element algebra that has 
no finite basis. Henkin [12] showed that the algebra of naturals with addition 
and multiplication is finitely based, while Curevic [10] showed that after adding 
exponentiation the algebra is no longer finitely based. McKenzie [15] settled 
Tarski’s Finite Basis Problem in the negative, by showing that the general ques- 
tion whether a finite algebra is finitely based is undecidable. 
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Other notable examples of w-incomplete axiomatizations in the literature are 
the Ai4r/3?7-calculus (see [25]) and the equational theory of CCS [17]. Therefore 
laws such as commutativity of parallelism, which are valid in the initial model 
but which cannot be derived, are often added to the latter equational theory. 
For such extended equational theories, w-completeness results were presented in 
the setting of CCS [19] and ACP [6]. Another negative result, for basic process 
algebra with the binary Kleene star, was reported in [2]: semantics no coarser 
than completed trace equivalence and no finer than ready simulation equivalence 
have no finite (sound and complete) axiomatization, so by default no finite w- 
complete axiomatization. 

A number of positive and negative results regarding finite w-complete ax- 
iomatizations for BCCSP occur in the literature. Moller [19] proved that the fi- 
nite axiomatization for BCCSP modulo bisimulation equivalence is w-complete. 
Groote [9] presented a similar result for completed trace equivalence, for trace 
equivalence (in case of an alphabet with more than one element), and for readi- 
ness and failures equivalence (in case of an infinite alphabet). Blom, Fokkink 
and Nain [5] proved that in case of an infinite alphabet, BCCSP modulo ready 
trace equivalence does not have a finite (sound and complete) axiomatization. 
Aceto, Fokkink and Ingolfsdottir [3] proved a similar negative result for 2-nested 
simulation equivalence, independent of the cardinality of the alphabet.^ 

Groote [9] explicitly left open the question of w-complete axiomatizations for 
BCCSP modulo readiness and ready trace equivalence in case of a finite (non- 
empty) alphabet. The same question for possible worlds equivalence, irrespective 
of the cardinality of the alphabet, was posed by van Glabbeek [8]. 

In case of a singleton alphabet, readiness, ready trace and possible worlds 
equivalence coincide with completed trace equivalence. As mentioned before, 
there exists a finite w-complete axiomatization for BCCSP modulo completed 
trace equivalence, independent of the cardinality of the alphabet. 

In this paper we consider BCCSP with a finite alphabet with more than one 
element. We prove for any semantics ~ no coarser than readiness equivalence 
and no finer than possible worlds equivalence, that there is no finite w-complete 
axiomatization for BCCSP modulo Ready trace semantics is included in this 
range (see Figure 1). 

The proof of the main theorem of this paper only concerns equations of depth 
one. Pivotal for this proof is a special kind of “cover equation” (see Definition 
3), from which all sound equations of depth one for BCCSP modulo readiness 
equivalence can be derived. For the soundness of the cover equations, modulo 
possible worlds semantics, it is essential that the alphabet is finite. Thus we 
not only obtain a negative result, but we gain some insight into the equational 
theory of readiness, ready trace and possible worlds semantics in the presence 
of a finite alphabet. 



^ In case of an infinite alphabet, occurrences of action names in axioms should be inter- 
preted as variables, as else most of the axiomatizations mentioned in this paragraph 
would be infinite. 
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Finally, we prove that if the alphabet is infinite, then the (sound and com- 
plete) axiomatization for possible worlds semantics is w-complete. So there is a 
striking incompatibility of a finite alphabet and a finite basis. Namely, in case 
of an infinite alphabet BCCSP modulo readiness semantics or possible worlds 
semantics has a finite basis, while in case of a finite alphabet it only has an 
infinite basis. 

Groote [9] also asked whether in case of a finite alphabet, BCCSP modulo 
failures or failure trace semantics has a finite w-complete axiomatization. These 
questions remain open, for alphabets with more than one element. We note that 
the aforementioned cover equations can be derived from the standard axioms 
for failures semantics and failure trace equivalence. So there is hope that finite 
w-complete axiomatizations for these semantics do exist. 

2 Preliminaries 

Syntax of BCCSP. BCCSP(A) is a basic process algebra for expressing finite 
process behavior. Its syntax consists of closed (process) terms p, q that are con- 
structed from a constant 0, a binary operator called alternative composition, 
and unary prefix operators a_, where a ranges over some nonempty set A of ac- 
tions. Open terms t, u can moreover contain variables from a countably infinite 
set V (with typical elements w,x,y,z). As binding convention, alternative com- 
position and summation bind weaker than prefixing. A (closed) substitution 
maps variables in V to (closed) terms. For every term t and substitution cr, the 
term a(t) is obtained by replacing every occurrence of a variable a; in t by a{x). 

Transition rules. Intuitively, closed terms represent finite process behaviors, 
where 0 does not exhibit any behavior, p q is the nondeterministic choice 
between the behaviors of p and q, and ap executes action a to transform into 
p. This intuition is captured, in the style of Plotkin [24], by the transition rules 
below, which give rise to A-labeled transitions between closed terms. 

CL / CL f 

X ^ X y ^ y 

ax ^ X X y ^ x' x y ^ y' 

The depth of a term t, denoted by depthft), is the maximal number of transitions 
in sequence that t can exhibit. It is defined by: depth{Q) = 0, depth{x) = 0, 
depthft -I- m) = \ndx.{depth{f) , depth{u)}, and depth(at) = depthft) I. 

For a closed term p, X{p) denotes the set of actions a for which there exists 
a transition p p' . A closed term p is deterministic if for each a G T{p) there is 
exactly one closed term p' such that p p' , and moreover p' is deterministic. 

Definition 1. A closed termpi is o possible world of a closed termpo ifl{p\) = 
21(po); Pi is deterministic, and for each transition p\ p( there is a transition 
Po p'o such that p( is a possible world of Pq. Two closed terms p and q are 
possible worlds equivalent, denoted by p ~pw y, if they have exactly the same 
possible worlds. 
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Definition 2. A pair {a\ ■ ■ • ak, B) with B C A and k > 0 is a ready pair of po 
if Po ^ Pi ■ • • ^ Pk with I{pk) = B. Two closed terms p and q are readiness 
equivalent, denoted by p q, if they have exactly the same ready pairs. 

Axiomatization. An (equational) axiomatization E for BCCSP(A) is a collection 
of equations t k, u. We write E \- t ~ u ii this equation can be derived from 
the equations in E using the standard rules of equational logic, and E \- F 
ii E \- t K, u for all t « u G A. An axiomatization E is sound modulo an 
equivalence ~ on closed terms if (A h p « q) p ~ g, and it is complete modulo 
~ if p ~ (A h p « q), for all closed terms p and q. An axiomatization E 
is ui-complete if for each equation t ^ u with E h aft) « afu) for all closed 
substitutions a, we have if h f « m. 

The core axioms Al-4 [17] for BCCSP(A) below are sound and complete mod- 
ulo bisimulation equivalence [23] , which is the finest semantics in van Glabbeek’s 
linear time - branching time spectrum (see Figure 1). 

A1 x + y ^ y + X 

A2 {x + y) + z ^ X + fy + z) 

A3 X + X PS X 

A4 x + Q PS X 

In the remainder of this paper, process terms are considered modulo Al-2. A 
term x or at is a summand of each term x + u or at + u, respectively. We use 
summation fc} with k > 0, to denote ti + ■ ■ ■ + tk, where 

the empty sum denotes 0. 

Lemma 1. If t ps u is sound modulo then t and u have the same depth. 

Proof. Let cr map each variable in V to 0. Since a{t) cr{u), clearly aft) and 
a{u) have the same depth. So depthff) = depth{aft)) = depth{afu)) = depthfa). 

□ 



3 On Finite Alphabets and Infinite Bases 

In this section, we assume that 1 < ]Aj < oo. 

Let ~ denote a semantics no coarser than readiness semantics and no finer 
than possible worlds semantics. We prove that no finite sound and complete 
axiomatization for BCCSP(A) modulo ~ is w-complete. 



3.1 How the Proof Was Construed 

To prove the result mentioned above, we started out with the following infinite 
family of equations e„ for n > jAj: 

a{xi Xn) + X/i=l 0(2^1 + • • • + Xi-i + Xi+i Xn) 

PS X)r=l + ■ ■ ■ + Xi-I + Xi+I -I- • • • -I- Xn)- 
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These equations are sound modulo ~pw- Namely, it is not hard to see that for 

each closed substitution cr, the possible worlds of the summand a{a{xi~\ ha:„)) 

at the left-hand side of (j(e„) are included in the possible worlds of the right-hand 
side of CT(e„). 

However, our expectation that the equations e„ for n > \A\ would obstruct 
a finite w-complete axiomatization turned out to be false. Namely, e„ can be 
obtained by (1) applying to e„_i a substitution u with a{xi) = Xi + Xn for 
i = 1, . . . , n — 1, and (2) adding the summand a(xi -I- • • • -I- x„_i) at the left- 
and right-hand side of the resulting equation. Hence, from e|yi|_|_i (together with 
Al-3) we can derive the e„ for n > |H|. 

Therefore we moved to a more complicated family of equations (see Defi- 
nition 7), similar in spirit to the equations e„. However, while cancellation of 
the summand a(xi -I- • • • -I- x„_i) from e„ for n > |H| -|- 1 leads to an equation 
that is again sound modulo ~pwj such a cancellation is not possible for the new 
family of equations (see Proposition 3). We prove that they do obstruct a finite 
cc-complete axiomatization (see Corollary 1). 

3.2 Cover Equations 

We introduce the class of cover equations (see Definition 3), and show that they 
are sound modulo ~pw- We prove that each equation that involves terms of 
depth < 1 and that is sound modulo can be derived from the cover equations. 
Moreover, if such an equation contains no more than k summands at its left- 
and right-hand side, then it can be derived from cover equations containing no 
more than k summands at their left- and right-hand sides (see Theorem 1). 

In the remainder of this section, terms are considered not only modulo Al,2, 
but also modulo A3,4. By abuse of notation, we let a finite set A C P denote the 
term From now on, X, Y, Z (possibly subscripted) denote finite subsets 

of y. 

Definition 3. A term is a cover of aX if: 

1. yZCX with jZj < \A\, 3iGl {Z CY,C X); and 

2. yZCX with jZj = \A\, 3iGl {Z C y). 

This is denoted by Xie/ + Xie/ ~ Xie/ 

a cover equation. 

Example 1. X"=i + ’ ’ ’ + + Xi+i -I- • • • -I- x„) > a{xi -I- • • • -I- x„) for 

n > \A\. Hence the equations in Section 3.1 are cover equations. 

If |A| < |A|, then by Definition 3.1, t > aX implies that aX is a summand 
of t. So the only interesting cover equations are the ones where |A| > \A\ (cf. 
Definition 7). 

We proceed to prove that the cover equations are sound modulo ^pw- 
Proposition 1. // 1 > aX , then aX -|- t « t is sound modulo ~pw- 
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Proof. Let a be an arbitrary closed substitution. It suffices to show that the 
possible worlds of a{aX) are also possible worlds of cr{t). Let t = 
let ap be a possible world of a{aX). Then p is a possible world of a (X). So by 
Definition 1: 1{p) = X{a{X)); p has exactly |I(cr(X))| summands, one summand 
bpb for each b G 2{cr{X)); and for each b G 2{a{X)) there is an Xb G X such 
that a{xb) Qb and pb is a possible world of qb- Let Z = {xb \ b G 2{a{X))}. 
Then 2{a{Z)) = 2{a{X)). Clearly p is a possible world of a{Z). Note that 
\Z\ < \2{a{X))\. We consider two cases. 

1. \2{a{X))\ < |A|. 

By Definition 3.1, Z C Yi C X for some i € I. Then 2{a{Yi)) = 2{a{X)), so 
p is a possible world of a{Yi). Thus ap is a possible world of cr(t). 

2. \2{a{X))\ = \A\. 

By Definition 3, Z CYi for some i G L Then 2{a{Yi)) = A = 2{a{X)), so p 
is a possible world of a{Yi). Thus ap is a possible world of cr{t). 

Concluding, the possible worlds of a{aX) are also possible worlds of cr{t). □ 

We proceed to prove that each sound equation t « m modulo where t and u 
have depth 1 and contain no more than k summands, can be derived from the 
cover equations with |/| < k (see Theorem 1). First we present some notations. 

Definition 4. = {aX + ~ I Sie / > aX A |/| < k} 

for k >0. 



Definition 5. i?i denotes the set of equations t u with depth{t) = depth{u) < 
1 that are sound modulo ~r. 

Notation. S{t) denotes the number of distinct summands of term t. 

Definition 6. = {t « m G i?i | S{t) < k A S{u) < k} for k >0. 

Notation. A = {oi, . . . , a|A|}- 

We present part of the proof of Theorem 1 as a separate lemma, as this lemma 
will be re-used in the proof of Proposition 4. 

Lemma 2. If t fv u G R\, then t and u eontain exaetly the same summands 
X GV and aX with |X| < |A|. 

Proof. Let a; G P be a summand of t. We define a{x) = oiOiO and a{y) = 0 for 
y ^ X. Then (oioi, 0) is a ready pair of off), so it must be a ready pair of a{u). 
Since depth{u) < 1, this implies that a; is a summand of u. 

Let aX be a summand of t where X = {xi, . . . , Xk} with k < | A|. We define 
cr{xi) = OiO for f = 1, . . . ,k and a(y) = Ok+iO for y ^ X. Then (a, {oi, . . . , a^}) 
is a ready pair of a(t), so it must be a ready pair of a{u). Since depth{u) < 1, 
this implies that aX is a summand of u. 

By symmetry, each summand x G V and aX with |X| < |A| of u is also a 
summand of t. □ 
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Theorem 1. h for k > 0. 

Proof. Let t ^ u G R\. Consider a summand aX of t with lA"! > |A|. We prove 
that a subset of the summands of u form a cover of aX. 

1. Let Z = {zi, . . . , Zk} C X with k < |A|. 

We define a{zi) = OiO for f = 1, . . . ,k, a{x) = 0 for a: € X\Z and a{y) = 
a|yi|0 for y ^ X. The ready pairs of cr{aX) must also be ready pairs of a{u). 
Since depth{u) < 1, this implies that there is a summand aY of u with 
Z CY CX. 

2. Let Z = {zi,... ,z\A\} C X. 

We define a{zi) = OiO for i = 1, . . . , \A\ and a{y) = 0 for y ^ Z. The ready 
pairs of a{aX) must also be ready pairs of a{u). Since depth{u) < 1, this 
implies that there is a summand aY of u with Z QY . 

Concluding, in view of Definition 5, u = u' + u" with u' > aX. Since S{u') < 
S{u) < k, we have aX + m' « m' G So h aX + rt « rt. 

By Lemma 2, each summand x G V and aX with |AT| < | A| of t is a summand 
of u. Moreover, h aX + u « m for each summand aX of t with lA"! > \A\. 
Hence, h t + u « u. 

By symmetry, also \~ t + u ^ t. So \- t t + u ^ u. □ 

3.3 Cover Equations for n > |A| 

We now turn our attention to a special kind of cover equation aiAT„ + 
for n > I A|, where contains n + 1 summands (see Definition 7 and Proposition 
2). If a term u is obtained by eliminating one or more summands from t„, 
then aiAT„ + u « u is not sound modulo (see Proposition 3); moreover, 
if a summand of a term v is not a summand of aiAl„ + tn, then « u is 
not sound modulo (see Proposition 4). These two facts together imply that 
aiAT„ + tn ^ tn cannot be derived from C" (see Theorem 2). Theorems 1 and 
2 form the corner stones of the proof of Corollary 1, which contains the main 
result of this paper. 

Definition 7. Let n > |A|. Let xi, . . . ,Xn,w\A\, • ■ ■ ,Wn be distinct variables in 
V. Let X\A\-i and Ai„ denote ,x\a\-i} and {xi,... ,x„}, respectively. 

We define that tn denotes the term 

\A\ — 1 n 

aiX^A\-i+ ^ ai(X„\{xJ)+ ^ oi(A:|^I_i U {xi,Wj}). 
i=l i=\A\ 



Proposition 2. > aiAT„ for n> |A|. 

Proof. Let Z C AT„ with \Z\ < |H|. We need to find a summand aiY of tn with 
Z CY C Xn. We distinguish two cases. 

1. Z C Ai|^|_i. Then Z C X^a\-i C A1„. 




190 



W. Fokkink and S. Nain 



2. Z % X^A\-i - Then Z C X„\{a;i} C for some 1 < i < |A|. 

Let Z C Xn with \Z\ = |A|. We need to find a summand aiY of with Z CY. 
We distinguish two cases. 

1. C Z. Then Z C U{xi,Wi} for some |A| < i < n. 

2. X\j^\_i <f_ Z. Then Z C X„\{a;i} for some 1 < t < \A\. □ 



Proposition 3. Let n > |A|. If the summands of u are a proper subset of the 
summands of tn, then aiX„ + u fv u is not sound modulo ~r. 

Proof. Suppose that all summands of u are summands of but that some 
summand aiY of is not a summand of u. We consider the three possible 
forms of Y , and for each case give a closed substitution a such that some ready 
pair of a(aiXn) is not a ready pair of a(u). 

1. Y = Xiai-i. 

We define a(xi) = a^O for t = 1, . . . , |A| — 1, a(xi) = 0 for z = |A|, ... ,n, 
and a{y) = a|yi|0 for y ^ X„. Then the ready pair (ai, {oi, . . . ,a|yi|_i}) of 
a(aiXn) is not a ready pair of a{u). 

2. Y = for some 1 < j < |A|. 

We define a{xi) = UiO for z = 1, . . . , j — 1, j + 1, . . . , |A|, a{xi) = 0 for z = j 
and z = |A| + 1, . . . ,n, and a{y) = ajO for y ^ Xn- Then the ready pair 
(ai, {oi, . . . , Oj-i, Oj+i, . . . , 0 |yi|}) of cr(aiXn) is not a ready pair of cr(zz). 

3. y = X\A\-i U {xj,Wj} for some |^| < j < n. 

We define a{xi) = atO for z = 1, . . . , | A| — 1, a{xj) = amO, and a{y) = 0 
for y ^ X\A\-i ^ {xj}. Then the ready pair (ai,{ai,... ,a|^|}) of cr(aiX„) 
is not a ready pair of a(u). □ 



Proposition 4. Let n > |A|. //t„ Ri u is sound modulo then each summand 
of u is a summand of a\Xn + tn- 

Proof. Let « zz be sound modulo ~r. By Lemma 1, depth{u) = 1. By Lemma 
2, u does not have summands a; G y, so clearly each summand of u is of the form 
a\Y . If |y| < |A|, then by Lemma 2, a\Y is a summand of t„. Let |F| > |A|; we 
prove that aiY is a summand of a\Xn + tn. 

First we prove that Y C XnU{wi \ z=|^|, . . . , n}. Suppose, towards a contra- 
diction, that there is a y G y\(y„U{z(;i | z=|^|, . ■ . ,n}). We define a{y) = oiO, 
and a{z) = 0 for z ^ y. The ready pair (ai,{ai}) of a{aiY) is not a 
ready pair of cr(t„), contradicting that tn ^ u is sound modulo ~r. Hence, 
Y C XnD {wi I z = |H|, . . . , n}. 

To prove that aiy is a summand of OiX„ -|- tn, we consider two cases. 

1. Wi G Y for some |H| < z < n. 

Suppose, towards a contradiction, that there is a, y G y\(X|^l_iU{xi, zci}). 

We define a{y) = oiO, a{wi) = O20, and a{z) = 0 for z ^ {y, Wi}. The ready 
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pair (ai, { 01 , 02 }) of 0 ( 01 ^) is not a ready pair of a{t„), contradicting that 
« tt is sound modulo 

Suppose, towards a contradiction, that there is an a; G (Ar|^l_iU{xj, ■u;j})\F. 
Note that Wi € Y implies x yf Wi. We define (t(x) = oiO, a{wi) = 02 O, and 
a{z) = 0 if z ^ {x,Wi}. The ready pair (oi, { 02 }) of a{aiY) is not a ready 
pair of a{tn), contradicting that « u is sound modulo 
Hence, Y = ^|a|-i U {xi, Wi}. 

2. YC X„. 

Since |F| > |A|, there is a Z = (zi,... ,Z|^|_i| C Y with Z yf Al|^l_i. 
We define cr(zi) = 0^0 for z = 1, . . . , |H| — 1, a{y) = 0 for y G Y\Z, and 
ct(z) = O|yi|0 for z ^Y. The ready pair (oi, (oi, . . . , om_i|) of a{aiY) must 
be a ready pair of a(tn), which implies that there is a summand oiT' of 
with Z C Y' C Y C Since Z yf X|^l_i, it follows that Y' = X„\|a;j} 
for some 1 < z < |H|. Hence, either Y = or F = for some 

1 < z < |H|. 

Concluding, each summand of zz is a summand of aiX„ + tn- tH 

The following example shows that Proposition 4 would fail if |H| = 1. 

Example 2. Let |H| = 1 and rz = 1. Note that ti = oiO + ai(xi + wi) and 
aiXi = aiXi- Since \A\ = 1, oiO + ai(xi + Wi) « aiWi + OiO + ai(xi + Wi) is 
sound modulo However, aiWi is not a summand of aiXi + aiO + ai(a:i + 'u;i). 

Theorem 2. C” Y aiX„ + tn ^ tn for zz > \A\. 

Proof. Suppose, towards a contradiction, that there is a derivation of ai « 
t„ using only equations in C": aiXn + = zzq « zzi « • • • « zzy = for some 

j > 1- By Lemma 1, tzi, ... , zzy have depth 1. Since uq = aiX„ + tn, uj = tn, and 
the equations in C" are of the form aY + v zz v, there must be a 1 < z < j such 
that Ui-i = aiXn + Ui and aiXn is not a summand of Ui. Since zz m is sound 
modulo Proposition 4 implies that all summands of ut are summands of 
Since aiXn + Ui zz m is sound modulo Proposition 3 implies that Ui = tn- 
Hence, aiX„ + can be derived using a single application of an equation 

aiY + v zz V € C". Then a{Y) = and <t(z;) + w = tn for some substitution cr 
and term w. Since aiXn + cr(v) zz a(v) is sound modulo and a(v) + w = tn, 
Proposition 3 implies that a(v) = tn- However, aiY + v zz v G C’^ implies 
S(v) < n, and v does not contain summands from V, so clearly S(a(v)) < rz. 
This contradicts the fact that S'(cr(v)) = S(tn) = rz + 1. 

Concluding, C" Y aiXn + tn zz tn- □ 

3.4 The Main Result 

Corollary 1. Let E he a finite axiomatization that is sound and complete for 
BCCSP(H) modulo an equivalence ~ that is no coarser than readiness semantics 
and no finer than possible worlds semantics. // 1 < |H| < 00 , then E is not uo- 
complete. 
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Proof. Suppose, towards a contradiction, that E is w-complete. By Propositions 
2 and 1, aiX^ + for n > \A\ is sound modulo ~pwi so also modulo 

Then these equations can be derived from E. Let Ei denote the equations in E 
of depth < 1. Clearly, Ei h aiX„ + for n > |A| (cf. Lemma 1). 

Choose an n > \A\ such that S{t) < n and S{u) < n for each t ~ u & Ex. 
Since Ex is sound modulo so also modulo ~r, it follows that Ex C i?". By 
Theorem 1, C" h Ex. This implies that C" h axXn + tn~ tn, which contradicts 
Theorem 2. 

Concluding, E is not w-complete. □ 



4 On Infinite Alphabets and Finite Bases: Possible 
Worlds 

In case of an infinite alphabet, the equational theory of BCCSP modulo readiness 
semantics has a finite basis [9] , while the equational theory of BCCSP modulo 
ready trace semantics does not have a finite basis [5]. In this section we prove 
that, in case of an infinite alphabet, the equational theory of BCCSP modulo 
possible worlds semantics has a finite basis. 

Let \A\ = oo. From now on, we interpret occurrences of action names in 
axioms as variables (of type action), as else axiom A5 for BCCSP modulo possible 
worlds semantics given below would actually denote infinitely many axioms. To 
emphasize this interpretation, action names in axioms are written as a, j3 instead 
of a, b. 

The axiomatization consisting of Al-4 together with 

A5 a{Px + Py + z) a{Px + z) + a{Py + z) 

is sound and complete for BCCSP modulo possible worlds semantics (see [28]). 

We prove that Al-5 are w-complete. The proof strategy, which is based on 
giving semantics to open terms, is rather standard (cf. [1,7,18]), so we only 
provide a sketch of the proof. 

Theorem 3. If |A| = oo, then the axiomatization Al-5 is co-complete. 

Proof. Terms are considered modulo Al,2 (so no longer modulo A3, 4). The op- 
erational semantics for closed terms in Section 2 is extended to open terms by 
adding a transition rule for variables: 



a; — 0 

Furthermore, possible worlds semantics (see Definition 1) is extended to open 
terms. First we define I{t) for open terms t: it denotes the set of actions a and 
variables x for which there exists a transition t A f' or t F, respectively. A 
term tx is a possible world of a term to if 2i(ti) = ^(to)? is deterministic, and 
for each transition tx A t[ or tx A t'x, respectively, there is a transition to A t^ 
or to A- tg, respectively, such that t[ is a possible world of tg. We write t ~p-vv 
if t and u have exactly the same possible worlds. Without proof we observe the 
following three facts. 
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(A) t ~pw if only if a{t) ~pw o’(tt) for all closed substitutions a.^ 

(B) The term rewriting system 

a{(3x + (3y + z) — >■ a{(3x + z) + a{(5y + z) 

X + X ^ X 
x + Q ^ X 

is terminating, meaning that it does not give rise to infinite reductions of 
BCCSP terms. 

(C) If t ~p-\Y u, then the normal forms of t and u, with respect to the term 
rewriting system above, can all be equated by Al,2. 

Finally, suppose a{t) = a{u) can be derived from Al-5 for all closed substitu- 
tions cr. By the soundness of Al-5 modulo ^pw? cr(t) ~pw cr{u) for all closed 
substitutions a. By (A), t ~pw u. By (B), t and u can be reduced to normal 
forms t' and u', respectively, using the rewrite rules. By (C), t' « u' can be 
derived from A 1,2. Hence, t ^ t' zz u' zz u can be derived from Al-5. □ 
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Abstract. Message sequence charts (MSC) are a graphical language for 
the description of communication scenarios between asynchronous pro- 
cesses. Our starting point is to model systems using an assume-guarantee 
formalism, in the style of LSCs and Triggered MSCs. We enrich MSCs 
with the possibility of using gaps (template MSC), and show their ex- 
pressivity. This formalism also allows to express logical formulas. We 
analyze the model-checking problem, whose complexity is linear in the 
size of the system, and ranges from PTIME to EXPSPACE in the size 
of the template formula. 



1 Introduction 

Concurrent systems are intricate and hence difficult to describe. The classical 
description, stemming from programming practices, is based on listing the dif- 
ferent concurrent participants, e.g., the processes. The Message Sequence Charts 
(MSC) formalism allows an alternative “sequential” description of a concurrent 
system, where the complete behavior of all the processes involved in some given 
task are depicted in a visual way. The language enjoys widespread use in the 
specification of telecommunication protocols and has been standardized by the 
ITU-T [1]. In a single MSC we can describe the behavior of all the processes 
involved, including the local actions and the messages exchanged between them. 
Such a slicing of the concurrent execution provides further intuition about the 
behavior of the system. One of the drawbacks of this representation is that tasks 
are seldom executed in a sequential way, and some overlap commonly exists. 

In this paper we study an MSC-related formalism that allows expressing non- 
contiguous tasks. This is done by adding gaps to the MSC formalism. Intended 
for the analysis of systems, we present the formalism and study related verifica- 
tion problems. We are influenced in our proposal by Live Sequence Charts [4] and 
Triggered MSCs [16], and include an assume-guarantee mechanism, i.e., being 
able to require the execution of a task provided that another task was executed. 
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While an individual MSC has a formally defined semantics, its relation to 
the system behavior is left open by the standard: the usual interpretation is that 
the scenario should be possible in the implementation. In defining Live Sequence 
Charts, Damm and Harel [4] extensively emphasize the duality of mandatory 
and provisional semantics, but with a much wider set of features, including 
abort/exit conditions and reliable or lossy transmission. The provisional seman- 
tics is used with the standardized High-Level MSCs (HMSCs for short), that 
are described by (hierarchical) graphs with nodes labeled by MSCs [1]. The se- 
mantics of an HMSC is the set of MSCs formed by concatenating (process by 
process) MSCs seen along a path. HMSCs have several drawbacks, such as the 
difficulty to express concurrency between two independent threads, due to the 
sequential control of the graph. The result is that many systems are hard to 
model using HMSCs. To address this problem, other kinds of specifications have 
been proposed, e.g. based on Petri nets with transitions labeled by MSCs [12]. 

A totally different approach is taken by Triggered MSCs [16]. They replace 
the sequential description of HMSCs by an assume-guarantee formalism (that 
also exists in LSCs in form of activation messages). Causality is expressed by 
structuring a specification with two components: a precondition that identifies 
the initial behavior, and a postcondition expressing the continuation supposed 
to be guaranteed under this assumption. Assume-guarantee combined with the 
parallel operator emphasizes compositionality: a system description is most eas- 
ily obtained combining MSCs for collections of directly interacting processes, 
and superimposing assume-guarantee patterns that further constrain interac- 
tions between individual scenarios. 

We are inspired by the Triggered MSCs notation. Our suggestion attempts 
to improve on several points, for example, making the use of infinite assume- 
guarantee easier to understand. Our main contribution is to define template 
MSCs, and use them in the Triggered MSCs setting. We achieve conciseness by 
specifying only events strictly needed to identify a scenario and by using gaps as 
placeholders for other messages. With gaps, parallel composition can be simply 
expressed as conjunction, without the need for parallel (shuffle) operators. Using 
assume-guarantee template MSCs we can easily specify loops and thus infinite 
specifications. 

A second important use of assume-guarantee template MSCs is the ability to 
easily specify properties that a system should satisfy (the system is given here 
as a set of FSMs communicating through (existentially) bounded FIFO message 
queues, or as an HMSC). We can express temporal properties, e.g. the fact that 
whenever A happens, B should eventually follow. Compared to temporal logics, 
MSCs have the advantage of being a visual formalism, and thus easier to use in 
a design and engineering environment. Moreover, template MSC formulas are a 
fragment of a partial-order global logics with filter, whose complexity would be 
much higher. We study the complexity of verifying temporal properties expressed 
by various classes of templates and show that it ranges from PTime to ExpSpace 
in the size of the formula, and is linear-time in the size of the system. 




Specifying and Verifying Partial Order Properties Using Template MSCs 197 



One of the main differences between template MSCs and LSCs or Triggered 
MSCs is the use of gaps inside the MSC notation, in order to express an arbitrary 
(but finite) amount of communication or events. The user can also draw single 
send/receive events, with the matching event being located in a gap. Another 
difference is that we are using template MSCs as a visual specification formalism, 
as an alternative to temporal logic specification. Our specification is partial-order 
based, related to logics such as LTrL [17,5], TLC [3] and MSO [13]. 

A variant of model-checking for MSCs and HMSCs is considered in [15]. It 
uses an alternative semantics that consists in adding gaps between each pair 
of events on each process. This allows combating the undecidability of HMSC 
intersection. The approach in this paper is different. Gaps are added in the 
specification, and their locations and types need to be explicitly specified. For 
the full version see http://www.crans.org/~genest/fossacs03_fulLpaper.ps. 

2 Message Sequence Charts and Templates 

Message Sequence Charts (MSC for short) is a scenario language standardized by 
the ITU, [1] . They represent simple diagrams depicting the activity and commu- 
nications in a distributed system. The entities participating in the interactions 
are called instances (or processes) and are represented by vertical lines. Message 
exchanges are depicted by arrows from the sender to the receiver. In addition to 
messages, atomic actions can also be represented. 

The left part of Figure 1 gives an example of an MSC M modeling two 
messages sent between a Writer W and a Server S. 

Definition 1 An MSC is a tuple M = {V, E, A, t, m, <) where: 

- V is a finite set of processes, 

- E is a finite set of events, 

- A is a finite set of names for messages and local actions, 

- £ : E ^ T = {plq{a) , p? q{a) , p{a) \ p q GV,a G A} labels an event with its 
type.' in process p, either a send p\q{a) of message a to process q (respectively, a 
receive plq{a) of message a from process q) or a local event p{a). The labeling 
£ partitions the set of events by type (send, receive, or local), E = S'lJ i?[J L, 
and by process, E = (Jpgp Ep. 

- m : S ^ R is a bisection matching each send to the corresponding receive. If 
m{s) = r, then £{s) = plq{a) and £{r) = plq{a) for some p,q € V and a € A. 

- <C E X E is an acyclic relation between events consisting of: 

- a total order on Ep, for every process p € V, and 

- s < r, whenever m{s) = r. 

The event labeling £ implicitly defines the process pr{e) for each event e: 
pr{e) = p if e G Ep, i.e., £{e) G {p\q{a) , pi q{a) , p{a)} for some q GV,a G A. We 
assume that channels are FIFO, i.e., there is no overtaking on messages sent on 
the same channel. 

The relation < is called the visual order on the MSC, since it corre- 
sponds to its graphical representation. It is comprised of the process order- 
ing and the message ordering, pairwise between send and matching receive. 
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Since < is required to be acyclic, its reflexive-transitive closure <* is a par- 
tial order on the set E of events, which we will denote by <. An exten- 
sion of < to a total order on E is called a linearization of M. We denote 
by Lin(M) the set of all labeled linearizations of an MSC M, Lin(M) = 
{f (ei) • • • f (e„) I Cl • • • e„ is a linearization of M}. 

The main objective in this paper is to model complex communication inter- 
actions using finite scenarios. We argue that HMSCs are hard to use in specifica- 
tion, since a designer must be able to describe the global behavior of a protocol 
in form of a graph. In general, finite MSCs are easier to use, since they capture 
the essence of scenarios. To describe one particular aspect of the system behav- 
ior, it is frequently not needed to consider all message exchanges or indeed not 
even all processes. Thus, we propose to use templates^ which are diagrams in 
which events/messages can alternate with gaps. Gaps are effectively placehold- 
ers for arbitrary many (eventually zero) events or messages between designated 
processes. They can be instantiated by compositional MSCs (CMSC for short), 
that is an extension of MSCs [7]. The difference between a CMSC and an MSC 
is that the message function m is a partial function, i.e., there can be sends or 
receives for which no matching event is defined. A send s is called matched if the 
(matching) receive r = m{s) is defined. By instantiating gaps by CMSCs, there 
can be messages exchanged between different gaps or messages composed by an 
event of the diagram and an event in a gap. The template MSC N in the right 
part of Figure 1 describes the set of all CMSCs containing the message a. 

Definition 2 (Template MSC) A template MSC is a tuple {V, E, E,A,i,m, <) , 
where (P, A, A, m, <) is a CMSC, with the following components extended: 

- r is a finite set of gap markers, 

>-TU 2^ , with i{j) C T the message types allowed in gap 7 G T. 
Let Ep C r be the set of gaps 7 such that i("f) allows events on process p. 

- < C (A U T)^. For each process p € V the restriction of < to Ep\J Fp must 
be a total order. 

The order between gaps and events in the above definition ensures that tem- 
plate MSCs can be effectively represented as diagrams. The semantics of a tem- 
plate MSC is an infinite set of CMSCs, obtained by replacing the gaps by CMSCs 
of allowed types. 

Definitions (Semantics) A template MSC M = (P,E,F,A,i,m,<) 

defines a set of CMSCs, denoted by C{M). A CMSC M' = 
{P, E' = E E'* , A,i' ,m' , <') is in C{M) if it is obtained by re- 

placing each gap 7 G T with a (possibly empty) CMSC with event set E'^ 
such that: 

— The type function T is the union of £ and the type function of each . It 
is required that £'(e) G ^( 7 ) for every event e G E'^ (i.e., contains only 
events of allowed types). 

— The message function m' extends m and the message function of each . 
It is required that m' preserves the FIFO restriction on matched events. 
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~ The visual order <' is the union of <, the visual order of each , and the 
set of all pairs (e, /) satisfying m'(e) = f or pr{e) = pr{f) and one of the 
following: 

• e € E'^ , f € with 7 < k (both e, / in gaps), 

• e € E'^ , f € E with 'f < f (e in a gap), 

• e € E, f € E^ with e < 7 (f in a gap). 

Remark. The ordering required between an event e and a gap 7 sharing some 
process, does not imply an order between e and all events of 7. That is, we may 
have two unordered events e, / in M' , with / belonging to some gap 7 where 
e < 7 (however, pr(e) yf pr(/) in this case). Moreover, we may have e < 7 < / 
in M with e, f € E, j € E, but by replacing 7 with the empty MSC, e, / are 
not ordered in M' . 

Note also that with our definition it is possible to obtain different message 
functions m' for the same instantiation of gaps. This is needed since 

we will concatenate two such CMSC instantiations Mi , M2 , such that the result 
is an MSC. Thus the message function of M2 depends on M\. □ 

Notice also that compositionality in gaps is mandatory if one wants e.g. to 
describe the set of all MSCs containing a given message. Assume for instance 
that in figure 1 the gaps of N are instantiated by MSCs, and not by CMSCs. 
Then the MSC M in the left part does not belong to the template C{N). 




Fig. 1. Template N representing all (C)MSCs containing the message a 



We define Lin(M) for a template MSC M as the union of the linearizations 
of all CMSCs from C{M). 

Template MSCs describe only simple communication patterns. To increase 
their expressivity, we can use them in an assume-guarantee framework, that 
allows in particular to express safety and liveness-like properties (see section 
4.1). For defining assume-guarantee template MSCs we first define what it means 
to decompose an MSC N as N = ST, where S,T are CMSCs. It means that 
there exists a linearization xi - ■ ■ Xk of iV and some 1 <i <k such that x\ - ■ ■ Xi 
{xi+i ■ ■ ■ Xk, resp.) is a linearization of S {T, resp.). 

Definition 4 (Assume-guarantee template MSCs) Let Ma,Mg be two template 
MSCs. Then Ma >— > Mg and Ma >— > ~'Mg are assume-guarantee template MSCs 
that define sets of MSCs, denoted by C{Ma ^ Mg), C{Ma ^ ~^Mg): 
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— C{Ma ^ Mg) = {N G MSC I for every decomposition N = ST, either 
SiC{Ma) orTGC{Mg)}. 

— C(Ma ^ ~'M„) = {N G MSC I for every decomposition N = ST, either 
S(fC{Ma) orT(fC{Mg)}. 

For an example of an assume-guarantee template MSC see Figure 4. Notice 
that S, T can be CMSCs, but ST = N is required to be an MSC. Note also that 
assume-guarantee template MSCs generalize MSCs, since every MSC M can be 
represented as e ^ M, where e is the empty MSC. 

A template MSC formula is a conjunction Ai(-^a ^ (Vj where 

± means that guarantee MSCs may appear in either positive or negated form. 
That is, for each of the individual assume-guarantee specifications of the out- 
ermost conjunction, we have preconditions in form of positive scenarios, and 
postconditions as disjunctions of either positive or negative (forbidden) scenar- 
ios. Hence, an MSC N belongs to C{Ma ^ Vj =*= -^g) if f®'' every decomposition 
N = ST, whenever S G C{Ma) either T G C{M0 for some positive M^, or 
T ^ C{MT) for some negative M|. This conditional description allows in par- 
ticular the guarantee false, with C{false) = 0. For example, an MSC N satisfies 
M ^ false iff no prefix of N is in C{M). The formula e ^ -■M describes the 
complement of C{M). 

3 Modeling Using Template MSCs 

A first application of template MSCs is for modeling protocols easier than with 
HMSCs [1]. The drawback of the standard notation of HMSCs is that one needs 
a global (graph) description combining several scenarios, resp. behaviors of the 
system. Using template MSCs, we model each behavior locally, that is each 
scenario is described on the processes that it involves. We restrict then the 
combination of these local behaviors by using template formulas. In the latter 
step, using template MSCs allows us to focus only on the relevant messages in 
a scenario, and avoid both repetition and the inclusion of unrelated messages. 
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Fig. 2. Global Behavior of Writer-Server-Reader System: (Ai V N2)*||(A3 V Nf)* 

We present an example that illustrates the major features of our approach, 
namely the reader-writer example, taken from [16]. The system consists of three 
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processes: a writer W and a reader R which concurrently access variables main- 
tained by a server S. The latter has the task of maintaining atomicity and 
serialization of read and write operations, each of which are performed in two 
phases. Since triggered MSCs cannot deal easily with infinite specifications, the 
example from [ 16 ] involves a single read/write operation. With template formu- 
las we do not have this problem, so we extend this example to arbitrary many 
write/read operations. 

The writer W performs a tentative update of variable x by sending a message 
iv(x) to the server S; x is now in a “dirty” state. Then, W performs a local 
action ok or fail which decides on the outcome of the write, and sends the 
corresponding message commit or abort to the server. A commit marks the 
variable as “clean” . An abort causes the server to perform a local rollback action 
rb and potentially influences a read in progress. The reader R can send the 
server a request r{x) for the variable x, to which the server responds with a 
value val{x). Subsequently, the server either follows up with a commit message, 
if the sent value was clean, or has been since committed by the writer, or sends 
an abort if the sent value has to be rolled back. Although many different orders 
of interactions between the three processes are possible, the interaction between 
the pairs of directly communicating processes is simple. Our system description 
above contains a pair of basic scenarios for both writer-server and reader-server 
interaction, depicted in Figure 2 . 

The global behavior is a subset of that given by composing these individ- 
ual scenarios. Using a notation similar to Triggered MSCs, we would write 
(A^i V A^2)*||(A^3 V N4)*. However, one side effect of gaps is that they make 
the definition of a parallel composition operator unnecessary, assuming that 
we compare MSC with different type sets. To express iVijjiVa for instance, it 
suffices to extend both MSCs to all three processes, and add gaps in between 
all messages. The gaps in A^i (resp. N^) allow only events of (resp. Ni). 
Then, parallel composition simply becomes conjunction (language intersection): 
£(A^i||A^ 3) = £(A^i) n£(A^3). We need slightly more work for expressing the star 
of languages. First, we need an initialization step (e ^ Mi V M2) for the writer, 
meaning that every MSC in the specification should begin on kF, S' by a write, 
and then either ok and commit, or fail and abort. Anything can happen next, as 
allowed by the unrestricted gap 7*. The MSCs Mi, M2 are defined in figure 3 , 
where the gap 7* has no restriction, while 7^ is restricted to events of A3, A^4. 

By adding an inductive step we obtain the specification. Namely, we need 
that either Mi or M2 happens after each message commit (or event rb), or there 
is no more event on W, S (gap 7/j), specified as: 

■y^commit ^ Mi V M2 \/ yn A 7*r& ^ Mi V M2 V yrt 

The same applies for M 3 , M 4 . These individual scenarios are interdependent, 
so the global system behavior is obtained by imposing additional constraints 
on their composition. We divide the constraints into an assumption part that 
identifies the initial behavior in a scenario, and a guarantee part expressing the 
behavior expected of the system under this assumption. 
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Fig. 3. Initialization: t ^ (Mi V M2) A e ^ (M3 V M4) 



For our WSR example we identify 5 cases specified |“| ^ p 

with the constraints in Figure 4. M5 states that if a 
write on the Server is followed by a send of x to the ► 

Reader, and the Writer aborts (precondition), then the abort ^ 

Server should inform the Reader about the abort (post- 
condition) . The occurrence of the read is guaranteed by | | 

M3 or M4, so it needs not be specified again. Likewise, 

Ml, M2 ensure that if there is no write between a send *• 

of X and an abort of the Writer, then the write has oc- C D 

curred in the first gap. This precondition will imply an 

abort for the read (postcondition). The remainder of the interaction needs not 
be specified, so we allow gaps in between these actions, corresponding to send- 
ing and receiving other messages. The other cases correspond to a commit of 
the value. Namely, a value is sent while no write has been produced (Me), or a 
value is sent after the last write has been roll-backed (M7)/committed (Mg), or 
a commit is received immediately after the value is sent (Mg). 



val(x) , 
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Fig. 4 . Assume-Guarantee Scenarios for Writer-Server-Reader System 



Hence the constraint is M5 A Mq A My A Mg A Mg. Without template MSCs, 
we would need to write at least every possible instantiation for gaps in our 5 
cases, yielding at least 12 cases. For instance, an HMSC specifying the same 
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model would require at least 19 states. Moreover, the size increases even more 
severely (exponentially) if instead of a single reader we allow several ones. With 
template formulas we express the constraints for each pair Writer/Reader, while 
an equivalent HMSC has to describe all possible combinations over all Readers. 
This lack of conciseness of HMSCs is a real drawback, since many algorithms 
involving MSCs are at least NP-hard. First, HMSCs are unable to represent the 
parallel composition, which can lead to an exponential blow-up compared with 
template formulas, and to specifications that are harder to understand. Second, 
HMSCs are finitely generated, which prevents them from implementing simple 
protocols such as the alternating bit. Third, HMSCs cannot be complemented in 
general. Hence, since template formulas implicitly complement the assume part 
they are not subsumed by HMSCs. 

4 Specifying Properties 

4.1 Logical Properties 

Template MSC formulas can describe easily and in a concise way some interesting 
properties and can be model-checked (see next section). We can use them for 
describing global properties of MSC configurations and use gaps as filters, i.e., 
for restricting the types of events. We denote in the examples below by 7 an 
unrestricted gap over all processes, and by 7-,o a gap that can generate all event 
types except for a. 

— (jA) ^ false = e ^ -'(7H7): No execution contains the MSC A. 

~ 7 ^ 7^7: Every execution contains infinitely often the MSC A. 

— 'jA ^ 7R7: Whenever A occurs, eventually B will occur. 

— (7H ^ 707) A [e ^ (7-,a V 7-,aH7)]: The MSC A may occur. If this is the 
case, then the event a must follow. Moreover, event a cannot occur before 
A. One can see a as an alarm event that is triggered by A. 

The theorem below shows that the expressiveness of compositional gaps has a 
drawback, namely that the satisfiability problem for template formulas is unde- 
cidable in general. However, we can check the satisfiability of a template formula 

5 if we ask only for MSCs that have at least one linearization where the size of 
each channel is bounded by some given value b (it is possible that other equivalent 
linearizations have higher bounds). A set S of such MSCs is called existentially b- 
hounded. For instance, every HMSC (even every realizable compositional HMSC, 
see [7]) is existentially bounded. 

Theorem 1 1. Given a bound b and a template MSC formula S, it is decidable 
whether there exists an existentially b-bounded MSC in C{S). 

2. It is undecidable whether a template MSC formula S satisfies C{S) 0. 

The proof of the first statement above follows from the results in the next 
section. For the second statement, we reduce from the Post correspondence prob- 
lem, making use of the unbounded communication channels. 
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4.2 Model-Checking Template Formulas 

We consider now the problem of verifying an implementation of a communica- 
tion protocol S with respect to a template MSC formula A different approach 
using partial order MSO for the specification $ gives decidability for the model- 
checking problem [13], albeit at very high costs. As suggested by Theorem 1, the 
system S needs an existential bound on buffers, denoted by 65. This includes 
protocols modeled by HMSCs, communicating finite state machines with exis- 
tentially bounded FIFO buffers (and even realizable compositional HMSCs, see 
[7]). The model for the implementation here is a finite automaton (FSM), gen- 
erating linearizations of MSCs. We do not require that S is linearization-closed, 
i.e., S may generate a linearization of some MSC without generating all of them. 
We can obtain a linear-size FSM from any (realizable compositional) HMSC. It 
suffices to replace each node by a linearization of the CMSC labeling the node. 

Definition 5 For an FSM S and an assume-guarantee MSC Ma ^ iAfg we 
write S \= {Ma ^ iAfg) if C{S) C C{Ma ^ ±Mg). The satisfaction of a 
template formula is defined according to the usual semantics o/A,V. 

In the following, we give complexity results for checking S \= <P for various 
classes of template MSC formulas <P. While S can be very large, real life formulas 
(p and existential channel bounds are pretty small. Hence we focus on keeping 
the complexity linear w.r.t. S. We will transform the formula into an automaton, 
so our algorithm will be automata-based. Moreover, checking that S \= /\-<Pi is 
done for each <Pi separately. 

Proposition 1 Given an FSM S with channel hound bs and a template MSC 
Mg, we can check whether S' ^ e ^ Mg in space exponential in bs\Mg\ and 
logarithmic in jSj. 

Proof. Let E be the set of events in the template MSC Mg. Let M be the 
MSC obtained from Mg by replacing each gap by the empty MSC. Let us fix a 
linearization x = x\ ■ ■ ■ Xn of M . We show how to construct an NFA Ax accepting 
every linearization of Lin(Mg) whose events occur in the order given by x. 

For each gap 7 of Mg and each process p that is allowed in 7 we use a new 
symbol 7^. We first set the beginning and the end of 7 on process p by choosing 
two positions i < j in x and then inserting one occurrence of 7^ between each 
Xk,Xk+i for i < k < j. The choice of i,j must be consistent with the position of 
gap 7 on process p. For instance, both the events on p before 7 and the symbols 
M with K < 7 must precede Xi. Let y be a string obtained in this manner. It 
remains to replace each symbol 7^ by Xf p, with C £(7) the event types 
of 7 on process p. In order to obtain all linearizations of Lin(Mg), between any 
two consecutive events Xi,Xi+i, the NFA will generate all possible orderings 
of events that preserve the sequence of gaps A* ^ on process p. For instance, 
suppose that we have between two events. Then the NFA 

generates (A.yj_p U X^,^^r U A.^j_g)*(A.y3_r U X^.^^p U 
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We have to ensure that messages of M are preserved. For this, we use one 
counter (of maximal value 65) per message in M . Furthermore, to ensure that a 
message is never received before being sent, we use one counter per communica- 
tion channel (of maximal value bs)- When a message m from p to g of M is sent, 
the counter Cm is initialized at 0. We increment it when a message is sent from 
p to q, and decrement when q receives from p. When the message m is received, 
we block the counter Cm- In the same way, we increment and decrement the 
counter corresponding to some channel, and block whenever it has value -1. The 
automaton accepts iff all counters are 0. 

The resulting NFA is exponential in bs\Mg\ and accepts all 6s-bounded lin- 
earizations of Lin(Mg). For a positive guarantee we can thus check C{S) C 
Lin(Mg) in space exponential in bs,\Mg\. For a negative guarantee we check 
£{S) n Lin(Mg) = 0 in polynomial space in bs, \Mg\. □ 

We can construct the same automaton for the precondition Ma- Then we 
compute in polynomial space the states of S that can be reached from an initial 
state by some execution corresponding to an MSC in C{Ma)- We obtain: 

Theorem 2 Checking S ^ ^ V^(±)M* is in EXP SPACE (bs\Mg\) (and 

PSPACE(\Ma\). Checking S ^ Ma ^ Vi ~'^g PSPACE(bs\Mg\\Ma\). 

4.3 Model-Checking in PTIME 

While template specifications are quite expressive, we have seen in the previous 
section that model-checking is rather expensive. On the other hand, partial- 
order logics are in general more expensive than linear logics (e.g., LTrL is non- 
elementary [18]. For a natural fragment of LTrL that is related to our template 
formulas, where the until operator is replaced by the existential diamond oper- 
ator, model-checking is also EXPSPACE, [3,18]. In this section we consider a 
reasonable restriction of template MSCs that yields a polynomial time model- 
checking algorithm. Basically, we require that 1) the guarantee template has only 
one gap, 2) the system is linearization-complete and 3) gaps must be instantiated 
by simple MSCs (instead of CMSCs). 

Proposition 2 Checking S' ]= e ^ Mg, where S is an ESM and Mg is an MSC 
with at most one gap can be done in time polynomial in \Mg\. 

Proof. For each process p, we show how to build an automaton Ap of 
polynomial size, recognizing linearizations where the projection on p contra- 
dicts the projection of Lin(Mg) onto p, denoted as We have 

Y\p{Lin{Mg)) = a\. . . aiX*bi . . .bm where Xp is the set of all events allowed 

in the unique gap of Mg on process p. For generating £{Ap) = np(Lin(Mg)), 
we just need the disjunction of three regular sets, the first one testing that the 
number of events on p is less than I -P m, the second one recognizing the viola- 
tion of the prefix ai . . . a; on p, and the third one recognizing the violation of 
the suffix 61 ... 6m on p. Clearly, Lin(S) fl Lin([Jp Ap) = 0 iff S ]= e ^ Mg. □ 

For model-checking vs. an assume-guarantee template MSC in polynomial 
time we consider only linearization- complete systems. Recall that a system S is 
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linearization-complete if for each execution of S that is the linearization of an 
MSC M, every linearization of M is an execution of S. Such a system can be 
derived from a regular MSC language [10]. 

Proposition 3 Given a linearization- complete system S and a template MSC 
Ma, we can construct a polynomial- size NFA A such that: 

1. C{A) n£(S') C Lin{Ma) n£(S'), and 

2. for each MSC M € £(Ma) with Lin{M) fl C{S) yf 0, A accepts at least one 

linearization in Lin{M) C\L{S). 

In particular, the last proposition implies that we can determine in poly- 
nomial time the states of S that can be reached from an initial state by some 
execution corresponding to an MSC in Ma, by computing C{A) fl C{S). 

Proof. Consider an arbitrary linearization xi ■ ■ ■ Xn of Ma, with Xi G EL) F. 
Since S is complete, any MSC in C{Ma) that has a linearization in C{S) also has a 
linearization in C{S) corresponding to We construct A as a sequencing 

of NFA for each xi- For events, the NFA is trivial, with one transition. For gaps, 
we note that any event sequence in A which doesn’t respect the message order 
is eliminated on intersection with S. Thus, it suffices to build for each gap an 
NFA which at each state has a transition for any event e € augmented 

with incrementing a global counter on each send (and decrementing it on each 
receive). The NFA accepts when the counter is zero, i.e. the number of total 
sends and receives is balanced. The intersection with S ensures acceptance of 
only those sequences which are balanced for each individual message. The value 
of the counter is bounded by the total number of outstanding messages, which 
is less than the size of S. Thus, A is of polynomial size. □ 

Notice that we cannot check a template formula Ma ^ Vj PTIME 

since the non-emptiness problem of the intersection of several automata is al- 
ready PSPACE-hard. We can just generalize to the following: 

Theorem 3 Checking that S ^ Ai(-^a ^ where S is a linearization- 

complete system, each Mg has at most one gap and gaps in both Ma,Mg must 
be instantiated by MSCs, can be done in time polynomial in the size of Ml, Ml 
and S. 

4.4 Closing the Gap between PTIME and EXPSPACE 

A natural question arising now is which special cases of assume-guarantee tem- 
plate MSCs can be model-checked in less than exponential space. This is more 
than just a theoretical question, since model-checking in the general setting is 
very expensive, while the PTIME case given in section 4.3 can only express very 
simple properties. 

In this section we restrict the guarantee template to have at most two gaps, 
which basically means pattern matching a finite MSC. Notice that even the 
complex alarm property in section 4.1is rather concise, it uses just two gaps. 
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The main result given in this section is that model-checking assume-guarantee 
template MSCs where the guarantee part has at most two gaps, can be done in 
PSPACE. Since the guarantee part is usually small, a polynomial space algorithm 
in the size of the formula and logarithmic in the size of the system is feasible 
in practice (remember that model checking an FSM against an LTL formula is 
also polynomial space in the size of the formula, but logarithmic in the size of 
the FSM). 

Proposition 4 Consider an FSM S (linearization- complete or not), and a tem- 
plate MSC M with 2 gaps. Checking that S \= e ^ M is in PSPACE{bs\M\) . 

We describe the algorithm first for an easier case, namely when M = 7P7, 
where 7 is a gap on all processes without any type restriction, and P is a finite 
MSC (pattern) . We adapt the pattern matching algorithm of [8] for Mazurkiewicz 
traces, improving the result stated for hierarchical MSCs in [6]. Intuitively, we 
do string pattern matching for each projection Pp of the pattern P on a process 
p and then determine occurrences that match together to an MSC pattern. 

Formally, for an MSC N and a process p we denote by Np the sequence of 
events of N on p. The idea is to compute for each process p the positions Xp of 
Mp where Pp occurs, and check that there exists some tuple of positions {xp)p^-p 
that corresponds to the pattern M. We locate a pattern Pp immediately after 
its last event. For simplicity, if P has no event on process p, then we do as if 
there is a pattern Pp after any event of M on p. 

Definition 6 Let Xp,Xq be two occurrences of Pp and Pq, resp., in the MSC M. 
We call Xp,Xq compatible if 1 ) there is no message (s,r) in M from p to q with 
Xp < s < r < Xq and no message from q to p with Xq < s < r < Xp, and 2 ) if P 
contains a message from p to q, then there is no message (s, r) in M from p to 
q with s < Xp and Xq < r. 

The next proposition states that the compatibility relation suffices for know- 
ing whether M = 7P7, i.e., whether P occurs in M or not. 

Proposition 5 A p-tuple {xp)p^-p is an occurrence of P in an MSC M iffxp, Xq 
are compatible for all p, q. 

Proof. The implication from left to right follows easily. For the converse assume 
by contradiction that {xp)p^-p is not a pattern because for some pair of processes 
p, q, the sends from p to g do not match the receives of q from p. 

There are several cases to consider. Either Xp ends before the send of the 
last message m from p to q that hits Xq, and then this message m is after Xp 
and before Xq, which is not possible. Or Xq ends before the receive of the last 
message m from p to q that was issued in Xp, and then this message m is before 
Xp and after Xq, which is not possible by the additional rule. 

The last case where {xp)p^-p is not a pattern is because of some chain of 
messages {sk,rk)i<k<m with pk = pr{sk+i) = pr{rk), Vk < Sfc+i for all k, and 
such that Pi = p, Pm+i = <h Xp < si, r^ < Xq. Thus, there exists some k 
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such that Xp^ < Sk and Vk < But this means that {xp^,Xp^^^) are not 

compatible, a contradiction. □ 

The overall idea is to generate on-the-fly every pattern Xp for all p, and to 
compute the last pattern Xp can be compatible with. If some Xp is not compatible 
with any Xq (for at least one q), then we delete it. For instance, let (s,r) be a 
message between p and q, and Xq be the last pattern on q before the receive r. 
For all patterns Xp < s on process p, the pattern Xq is the last pattern Xp can be 
compatible with, since any pattern Xq > r on q would satisfy Xp < s < r < Xq. In 
the case where Xq does not exist, Xp cannot be matched and should be deleted. 

Let A be the automaton corresponding to the product of deterministic au- 
tomata recognizing (word) patterns on each process, using the pattern matching 
algorithm of Knuth-Morris-Pratt. 

We build an automaton B based on A that recognizes runs (linearizations) 
that do not contain pattern P. The states of B are of the form (a, S, Pattern, c), 
where 

— a is a state of A. 

— S' is the set of unmatched sends seen so far. 

— Pattern = (J^Patternp, where Pattern^ is the set of patterns on process p 
(not deleted) seen so far. 

— c is the compatibility function. For x € Pattern, p G P, c(x,p) € Patternp U 
{-|-oo} is the last pattern x is compatible with. It equals -l-oo if x is compat- 
ible with any pattern on p. 



Mg 


Ma 


Mg 


PTIME 


closed gaps and S complete 
or one closed gap 


± one closed gap, 
no disjunction 


PSPACE 


no restriction 


negative templates or ± two gaps 


EXPSPACE 


no restriction 


no restriction 



Fig. 5. Complexity of Model-Checking 



We describe now the transitions. Let e be an event. Then (a, S, Pattern, c) — l-g 
(o'. S', Pattern', c') iff a — l-g a' in A and 

1. if e = p\q then Create_new_send(e) 

2. if e = p?q, let s G S matching the receive e. Update_dependencies(s, e) 

3. if pr{e) = p and A recognizes a pattern on p, Create_new_pattern(p). 

Proposition 6 Let B have final states of the form (a, S = 0, Pattern, c), sueh 
that Patternp = 0 for at least some proeess p. Then M G C{B) iff P does not 
occur in M. 

For the general case we have to consider a guarantee template MSC of the 
form Mg = Mi^tPit' M 2 , where T,T' are sets of event types, and Mi,P, M 2 
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are CMSCs. We deal with this case by extending the automaton B in a suitable 
way, and combining with the ideas of section 4.3. 

Theorem 4 Let S be an FSM, Mg = \J ^{±)Mg he a guarantee template MSC 
with at most two gaps and let Ma he a template MSC. 

Checking S \= Ma ^ \J ^{±)Mg is PSPACE-eomplete in (hs\Mg\\Ma\). 

5 Conclusion 

We proposed template MSC formulas as an extension of Triggered MSCs by 
adding gaps and showed how to use them as a visual specification formalism. 
The two main components are the use of assume-guarantee CMSC as in Trig- 
gered MSCs and LSCs, together with gaps. The formalism is quite expressive 
and allows to specify safety and liveness-like properties. A drawback of the ex- 
pressivity is that satisfiability is undecidable, unless there is an existential bound 
on communication channels. Notice that for LSCs, satisfiability (consistency) is 
shown to be decidable in [9] with a synchronous semantics of communication. 
However, synchronous communication is a severe restriction for specifying pro- 
tocols. 

We considered template MSCs as a specification formalism, given as a visual 
alternative to linear temporal logic, and we analyzed the complexity of check- 
ing various template MSC properties. Model-checking a realizable compositional 
HMSC S gives the following complexities for the restrictions below: 
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Abstract. We introduce a game model for a procedural programming 
language extended with primitives for parallel composition and synchro- 
nization on binary semaphores. The model uses an interleaved version 
of Hyland-Ong-style games, where most of the original combinatorial 
constraints on positions are replaced with a simple principle naturally 
related to static process creation. The model is fully abstract for may- 
equivalence. 



1 Introduction 

The two major paradigms of concurrent programming are message-passing and 
shared- variable. The latter style of programming is closer to the underlying ma- 
chine model, which makes it both more popular and more “low-level” (and more 
error-prone) than the former. This constitutes very good motivation for the 
study of such languages. Concurrent shared-variable programming languages 
themselves can come in several varieties: 

— Fine-grained languages have designated atomic actions which are imple- 
mented directly by the hardware on which the program is executed. In 
contrast, coarse-grained programming languages can specify sequences of 
actions to appear as indivisible. 

— Languages with static process creation execute statements in parallel and 
then synchronize on the completion of all the statements. Conversely, dy- 
namic process creation languages can create wholly autonomous new threads 
of execution. 

— The procedure invocation mechanism can be call-by-name or call-by-value. 

Any combination of the features above is possible and yields interesting pro- 
gramming languages. In this paper we consider fine-grained, static, call-by-name 
languages. We found that this particular set of choices is most naturally suited 
to the particular semantic model we intend to present. 

Our language comes very close to Brookes’s Parallel Algol (PA) [1], which is a 
coarse-grained, static, call-by-name language. Whereas PA uses a coarse-grained 
await construct, we use fine-grained semaphores, with atomic operations grab 
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and release. Additionally, unlike PA, our language allows side-effects in expres- 
sions. But otherwise it is very similar to PA, and both are quite faithful to 
Reynolds’s principles of combining call-by-name A-calculus with local-variable 
imperative programming. 

For sequential Algol, the combination of procedures and state gives rise to 
difficult semantic problems [2], which were first given an adequate solution rel- 
atively recently by Abramsky and McCusker using game semantics [3]. Their 
game model of Algol uses Hyland-Ong-style (HO) games which had previously 
been used to model sequential functional computation, notably for the language 
PCF [4]. Since game models are strikingly concurrent, adapting them to the anal- 
ysis of parallel computation is a natural step. As it will be seen in this paper, the 
game model of concurrency is substantially simpler than that of sequentiality. 
One can think of sequentiality as a highly-constrained and deterministic form of 
interleaving of concurrent actions, this being reflected by the nature of the rules 
governing the HO games. To model concurrency we renounce almost all the HO 
rules, including the most basic one, the embodiment of sequentiality, alterna- 
tion, and replace them with a single principle that is an immediate reflection 
on the nature of static concurrency. The relative simplicity of our model is best 
illustrated by the direct definability proof. While the factorization method seems 
possible in principle, it would perhaps obscure the connection between the con- 
current nature of computation and the concurrent nature of games. The resultant 
game model is fully abstract with respect to may-equivalence. Therefore it can 
be used to reason about safety properties, but not liveness (deadlock- freeness). 

Concurrent games, using a true concurrency representation, have been used 
by Abramsky and Mellies to model multiplicative additive linear logic [5]. 
Abramsky also made the first attempt to model PA using resumption-style 
games [6], but the theoretical properties of that model have not been inves- 
tigated. We found that the interleaved representation is the most suitable for 
our language, because it deals more easily with the possibility of synchroniza- 
tion which happens either inherently at process creation and termination, or 
explicitly through the usage of semaphores. 

Laird’s game model of synchronous message-passing concurrency [7] is the 
work most closely related to ours. It draws from the HO model, and it also 
uses a non-alternating interleaved representation of concurrency. However, the 
technical differences are substantial. Laird’s model introduces additional struc- 
ture {concurrency pointers, to explicitly model threads) and additional condi- 
tions {pointer-blindness, to cut-down the model) in order to set up a framework 
compatible with the PCF constraints {visibility, innocence, well-bracketing). By 
contrast, our approach is more direct and yields an explicit model which seems 
more accessible. 

Other work on denotational models for shared-variable concurrency we con- 
sider related to ours are Brookes’s full abstraction result for a transition-trace 
model of a ground-type programming language [8] and his relational parametric 
model of PA [1]. Also interesting is Rockl and Sangiorgi’s process semantics of PA 
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using the 7r-calculus [9] . A representation of our game model into the 7r-calculus 
seems possible, which would give a fully abstract tr-calculus model of PA. 

2 Syntax and Operational Semantics 

The types are (3 ::= exp | com and 0 ::= /? | var | sem \ 0 ^ 6. The type 
judgements are of form F \~ M : 9 where T maps identifiers to types. The typing 
rules are those of Idealized Algol (lA) with active expressions plus rules for the 
following new terms: 

T h Cl : com F \- C2 ■ com F, x : sem h M : /3 

T h Cl 1 1 C 2 : com F h newsem x:=ninM : (3 

F \- S sem F \- S \ sem 

F h grab(S') : com F \~ release(S') : com 

We define the semantics of the language using a (small-step) transition relation 
S h M, s — > M' , s'. A is a set of names of variables denoting memory cells 
and of semaphores denoting locks; s, s' are states, i.e. functions s, s' : A — >• N, 
and M, M' are terms. 

The reduction rules specific to our language are those for parallel composi- 
tion, semaphore manipulation and binding and we give them below. 

AhCi,s^C(,s' AhCa, s^C', s' 

^bCilICa, s^C(||C 2 , s' AhCilICa, s^CillC^, s' 

A, u h C[v/x],s ® {v ^ n) — >■ C', s' ® {v ^ n') 

A h newsem a: := n in C, s — newsem x := n' in C'[x/v], s' 

A h grab(u), s ® (u >->■ 0) — skip, s ® (u 1) 

A h release(u), s® {v ^ n) — skip, s 0 (u >->■ 0) n > 0 

Semaphores are interpreted in a standard way, using stateful locks, v. If u is 0 
then the semaphore can be grahhed, which changes its state to I; if v is non-zero 
then the semaphore can be released, which changes its state back to 0. Note 
that semaphore operations are atomic, i.e. they cannot be interrupted by other 
concurrent processes. 

It is common to identify var with (exp — > com) x exp and use a variable 
constructor mkvar : (exp — >■ com) —!• exp — var [2]. In the same “object- 
oriented” spirit, we identify sem with com x com and introduce a semaphore 
constructor mksem : com — com — sem. 

We use the following abbreviations: M, s 1| if 3s', M, s — >■* c, s', with c G NU 
{skip}, and M jj. if M is closed and M, 0 {1. We define a contextual approximation 
relation F h M\ (Og M2 by VC[— ] : com, C[Mi] IJ. implies C[M2] -IJ-, where C[Mi] 
are closed programs of com type. Contextual equivalence {F h M\ =g M2) is 
defined as A h Mi M2 and F h M2 Mi. 

Note that the definition of termination M IJ. is angelic. We consider a term 
to terminate if there exists a terminating evaluation. However, the evaluation is 
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not deterministic, so it is possible that a term has both terminating and non- 
terminating evaluations. Moreover, we do not differentiate between the various 
reasons that termination might fail. In our language this can happen either 
because of infinite reductions (divergence, e.g. fix(Aa;.x)) or stuck configurations 
(deadlock, e.g. newsems:=Oingrab(s);grab(s)). 

3 Game Semantics 

Game semantics models computation as a game between a Proponent (P), rep- 
resenting a term, and an Opponent (O), representing the environment of the 
term. Any play of the game is an interaction consisting of basic actions called 
moves, which are of two kinds: questions and answers. The fundamental rule is 
that questions can only be asked if they are justified by some previous question, 
and answers can be given only to relevant questions. A common metaphor is 
that of polite conversation: one must not ask irrelevant questions or provide un- 
requested answers. In addition, any play must obey other various rules, which 
are particular and intimately related to the kind of computations one is inter- 
ested in modeling. P must always play according to a strategy that interprets 
the term. O does not play using some pre-determined strategy, but it still needs 
to behave according to the rules of play. 

The game-semantic approach, which is highly intensional and interactive, is 
particularly well suited for modeling concurrent programming languages. Iron- 
ically perhaps, the greatest initial success of game semantics was in providing 
models for sequential computation. Sequentiality is a straitjacketed form of in- 
teraction, and its game models reflect this situation by being governed by a 
number of combinatorial rules. 

The essential rule common to all sequential games, is that of alternation: O 
and P must take turns. In order to model concurrency we also discard this rule. 
The “static” style of concurrency of our programming language requires that 
any process starting sub-processes must wait for the children to terminate in 
order to terminate itself. At the level of games, this is reflected by the following 
principle: 

In any prefix of a play, if a question is answered then that question 
and all questions justified by it are answered exactly once. 

It is helpful to spell out this property using two simpler and more precise rules: 

Forking Only a question that has not been answered can be used as a justifier 
for future moves. 

Waiting A question can be answered only after all the questions justified by it 
have been answered. 

A lot of by now standard definitions in game semantics can be adapted to the 
new setting. We detail the similarities and differences in what follows. 
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3.1 Arenas 

The definition of arenas remains standard. An arena A is a triple {Ma, Xa, fiyi) 
where Ma is a set of moves, : Ma — >■ {0,P} x {Q,A} is a function de- 
termining for each m G Ma whether it is an Opponent or a Proponent move, 
and a question or an answer. We write \a^,X^^ for the composite of with 
respectively the first and second projections. \~a is a binary relation on Ma, 
called enabling, satisfying 

~ if m \~A n for no m then XA{n) = {O, Q), 

— if m \~A n then A9^(m) XTin), 

— if m \~A n then A^ (m) = Q. 

If m\~A n we say that m enables n. We shall write Ia for the set of all moves 
of A which have no enabler; such moves are called initial. Note that an initial 
move must be an Opponent question. 

The product {A x B) and arrow (A B) arenas are defined by: 

Maxb = Ma + Mb Ma=ab = Ma + Mb 

Xaxb = [Aa, Xb] Xa^b = [( X^^ ,X^^),Xb] 

'^AxB = l“A + l“A^B = l“A + + {{b,a) \ h G Ib and aG Ia} 

where X^{m) = O if and only if X^^ {m) = P. 

An arena is called flat if its questions are all initial (consequently the P-moves 
can only be answers). The arenas used to interpret base types are all fiat: 



Arena 


0-question 


P-answers 


Arena 


0-question 


P-answers 


|com] 


run 


ok 


|expl 


q 


n 


fvarl 


read 


n 


|sem] 


grab 


ok 




write{n) 


ok 




release 


ok 



Note that |sem] is isomorphic to |com] x |com] and |var] = |com]“ x |exp], 
where by |com]“ we mean the product of countably many copies of |com]. 

3.2 Positions 

A justified sequence in arena A is a finite sequence of moves of A equipped with 
pointers. The first move is initial and has no pointer, but each subsequent move 
n must have a unique pointer to an earlier occurrence of a move m such that 
m \~A n. We say that n is (explicitly) justified by m or, when n is an answer, 
that n answers m. Note that interleavings of several justified sequences may not 
be justified sequences; instead we shall call them shujfled sequences. 

If a question does not have an answer in a justified sequence, we say that it 
is pending in that sequence. In what follows we use the letters q and a to refer 
to question- and answer-moves respectively, m will be used for arbitrary moves 
and toa will be a move from Ma. When we write justified sequences we only 
indicate those justification pointers which cannot be inferred without ambiguity 
from the structure of the sequence. 

Next we define what sequences of moves are considered “legal”: 
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Definition 1. The set Pa of positions (or plays^ over A consists of the justified 
sequences s over A which satisfy the two conditions below. 

FORK ; In any prefix s' =■■ • 
ing before m is played. 

WAIT ; In any prefix s' =■■ ■ q 
must be answered. 

The simplest sequences of moves that violate FORK and WAIT respectively are: 




The notion of a play is stable with respect to various swapping operations: 

Lemma 1. — If smim2 & Pa ond then sm2mi G Pa. 

— If smq G Pa and q is not justified by m then sqm G Pa ■ 

— If sqa G Pa and a is not justified by q, then saq G Pa- 

— If sa\a2 G Pa and sa2ai satisfies WAIT then sa2a\ G Pa- 

Note that the definitions oi AxB and A R no longer imply the usual switching 

condition, which characterizes sequential execution. 

Definition 2. A play s G Pa is complete iff no questions in s are pending. 

The following notations will be useful. For two shuffled sequences si and S2, 
Si II S2 will denote the set of all interleavings of si and S2. For two sets of 
shuffled sequences Si and 82' S'! II S'2 = UsisSi s2eS2 ^ Given a set X of 
shuffled sequences, we define A° = X, = A* II A. Then A®, called iterated 
shuffle of A, is defined to be Ab 



TO of s, the question q must be pend- 
a of s, all questions justified by q 



3.3 Strategies 

Strategies describe the way programs (represented by P) interact with their 
environment (represented by O). 

Definition 3. A strategy a on A (written a : A) is a prefix-closed subset of 
Pa, which is 0 -complete, i.e. if s G a and so G Pa, where o is an (occurrence 
of an) 0-move, then so G a. 

0 -completeness signifies the fact that the environment cannot be controlled dur- 
ing the interaction, and can make any legal move at any time. We will often define 
strategies using sets of sequences omitting the prefix- or 0 -closure. We will say 
that P has a response at position s (when following cr) if sp G cr for some P- 
move s. The set of non-empty complete plays of a strategy a will be denoted by 
comp(cr). 

Two strategies a : A ^ B and t ■. B ^ C can be composed by considering 
their possible interactions in the shared arena B. Moves in B are subsequently 
hidden yielding a sequence of moves in A and C . 
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Each play in A has a unique initial move, but plays in r may use several 
initial _B-moves. The latter corresponds to multiple uses of the argument of type 
B. Thus, when the strategies are interacting, positions of a will be replicated in 
order to allow for any number of copies of cr to be “used” by r. 

More formally, let u be a sequence of moves from arenas A, B and C with 
justification pointers from all moves except those initial in C such that pointers 
from moves in C cannot point to moves in A and vice versa. Define u \ B^C to 
be the subsequence of u consisting of all moves from B and C (pointers between 
A-moves and i?-moves are ignored). u\ A^B is defined analogously (pointers 
between B and C are then ignored). We say that u is an interaction sequence 
of A, B and C it u \ A, B G P®^b u \ B,C G Pb^c- The set of all such 
sequences is written as int{A, B,C). Then the interaction sequence a i t of a 
and T is defined bycr^r={'uG int{A, B,C) \ u \ A,B G a®, u \ B,C G t}. 

Suppose u G int{A, B,C). Define u ( A, C to be the subsequence of u con- 
sisting of all moves from A and C, but where there was a pointer from a move 
mA G Ma to an initial move rriB G Mb extend the pointer to the initial move in 
C which was pointed to from rriB- Then the composite strategy cr; r is defined 
to he {u \ A,C \ u G (J i t}. 

3.4 Saturated Strategies 

The original definition of strategies is inherently sequential. It relies on sequences 
of moves. Clearly, this cannot be sufficient to interpret concurrent computation. 
Sequences of events represent only one of possibly many observations of events 
which occur in parallel. Much of the ordering of the events present in such a 
sequence is arbitrary. We must consider strategies containing all possible such 
(sequential) observations of (parallel) interactions. In other words, strategies 
must be closed under inessential (i.e. unobservable) differences in the order of 
moves: 

— Any action of the environment could be observed at any time between the 
moment when it becomes possible and the moment when it actually occurs. 

— Dually, any action of the program could be observed at any time between 
the moment when it actually occurs and the moment it ceases to be possible. 

To formalize this in terms of moves and plays, we define a preorder A on Pa for 
any arena A as the least transitive relation satisfying s' < s for all s, s' G Pa 
such that 

1. s' = So • o • Si • S 2 and s = sq • si • o • S 2 , or 

2. s' = So • Si • p • S 2 and s = sq • p • si • S 2 , 

where o is any O move and p is any P move and every move in s has the same 

justifier as in s'. Since s, s' are legal plays by definition, it follows that no move 

in Si is justified by o (1) and p justifies no move in si (2). 

Definition 4. A strategy u is saturated if and only if whenever s G a and s' ^ s 
then s' G (J. 
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The two saturation conditions, in various formulations, have a long pedigree 
in the semantics of concurrency. For example, they have been used by lidding 
to describe propagation of signals across wires in delay-insensitive circuits [10] 
and by Josephs et al to specify the relationship between input and output in 
asynchronous systems with channels [11]. Laird has been the first to use them 
in game semantics, in his model of Idealized CSP [7]. 

For technical arguments it is convenient to use an equivalent “small-step” 
characterization of saturated strategies. 

Lemma 2. a : A is saturated if and only if the two conditions below hold. 

1. If smim 2 G a and Aa(wi) = XA{ni 2 ) then sm 2 mi G a. 

2. If spo G a and sop G Pa then sop € a. □ 

Recall that in the second clause it is necessary to stipulate sop G Pa (Lemma 1). 

Arenas and saturated strategies form a category Qsat in which Qsat{A,B) 
consists of saturated strategies on A ^ B. The identity strategy will be defined 
by saturating the strictly alternating copy-cat strategy, which is turn defined in 
the same way as identity strategies used for modeling sequential languages (but 
with respect to the new notion of positions) . 

Let PJ;'* be the subset of Pa consisting of alternating plays (no two consec- 
utive moves are by the same player). The “alternating copy-cat strategy” 
is the least strategy containing { s G ] V t Eeven s, t [ Ai = t [ A 2 }. In 

P copies 0-moves as they come provided he is “fast enough” to do so before 
the next 0-move; otherwise the strategy breaks down. 

Recall the lack of switching conditions for Ai A 2 . Consequently, id^** 
also admits plays of the shape d 2 dieie 2 /i/ 2 , which are illegal in the alternating 
setting. We used subscripts 1, 2 to indicate which instance of a type provides a 
move. 

The identity strategy idA will allow P to copy 0-moves from one copy of A 
to the other in a “parallel” fashion: the P-copy of an 0-move does not have to 
follow the 0-move immediately and can be delayed by some other O- or P-moves. 

Definition 5. Let S3t(r) be the least saturated strategy containing the strategy 
T. We define the identity strategy idA as sat{id^*^). 

The product and arena constructions make Qsat into a Cartesian closed cat- 
egory. The empty arena is the terminal object, pairing amounts to taking the 
sum (up to the canonical embeddings in the disjoint sum). Because the arenas 
A X B ^ C and A ^ {B ^ C) are almost identical (up to associativity of dis- 
joint sum), currying and un-currying essentially leave the strategies unchanged. 

Proposition 1. C/gat is Cartesian closed. 

The set of strategies on a given arena A can be ordered by inclusion, which makes 
it into a complete lattice. The largest element is Pa, the empty strategy A a, 
in which positions are merely the initial 0-moves, is the least element. Greatest 
lower bounds and lowest upper bounds are calculated by taking intersections 
and sums respectively. Saturated strategies inherit this structure because sums 
and intersections of saturated strategies remain saturated. 
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Theorem 1. C/gat is an uj CP O- enriched Cartesian closed category. 

We finish with a technical lemma which shows that in some cases saturation is 
preserved by composition even though one of the strategies may not be saturated. 

Lemma 3 . If a : A ^ B,t : B ^ C are strategies, a is saturated and C is flat 
then a;r = a; sat(r). In particular, a; t : A ^ C is saturated. 

As we shall see later, sometimes it will be convenient to use r instead of sat(r) 
to simplify reasoning about composite strategies. 

3.5 The Game Model 

The lambda-calculus fragment of our language with fixed points can be modelled 
in a canonical way using the structure of f/sat exhibited in the previous section. 
In particular |fix(Aa;^.a:)] = -L|e|. We shall write fig for fix(Ax®.a:). 

Next we show how to interpret the other constructs. It is convenient to present 
an alternative, but equivalent syntax of the language using functions rather than 
term-forming combinators: 

conditional : ifzero^ : exp (3 ^ fi ^ fd 

semaphores : grb : sem — com, ris : sem — > com 

commands : seq : com (3 ^ (3, pare : com com — com. 

variables : assg : var exp — com, deref : var — exp 

arithmetic, logic : op : exp exp — s- exp. 

binders : newvar^ : (var — !> /3) — > /?, newsem^ : (sem (3) ^ (3. 

The strategies interpreting the functional constants of the language can be de- 
fined by giving the set of their complete plays. 

Those inherited from lA are interpreted exactly as in [3] . For instance |seq] : 
[corn] 1/3] 0 |/3| 1 is given by positions of the shape q\ ■ run ■ ok-qo-ao-ai and 

|assg| : |var|o |exp|i |com |2 is defined by rMn2-<Zi -ni •wrzte(n)o- ofco- 0^2. 

The interpretations for |grb| , |rls| : |sem|g |com|i are given respectively 
by the positions runi ■ grab^ ■ oko ■ oki and runi ■ releaseo ■ oko ■ ok\. 

For parallel composition, |parc| : |com|o ^ |com|i |com |2 is the satu- 
rated strategy generated by run 2 ■ runo ■ runi • oko ' ok\ ■ 0^2. Thus, its complete 
plays are exactly those of run 2 ■ {runo ‘ oko H run\ ■ oki) ■ 0^2. Note that this is 
the only language constant interpreted by a strategy with non-alternating plays. 

3.6 Stateful Behaviour: Cells and Locks 

The interpretation of a local variable is defined as the composition of the follow- 
ing strategies: 

|F h newvar x := nin M : (3j = Ax{\P, x : var h M : /3|); cell(^ 

where A^ is the currying isomorphism and the strategy cell(^ : (|var 1 ^ 1/3]) ^ 
|/3| is the least strategy containing the alternating plays of the shape: q-q- read ■ 
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n • write{i) ■ ok ■ read ■ i - ■■ a ■ a, where P responds to each write{i) with ok and 
plays the most recently written value in response to read (or n if no write(i) has 
been played by O yet). 

Local semaphore introduction is defined similarly: 

|P h newsemx := nin M : PJ = Ax(ir,x: sem h M : /3J); lockf , 

where \ock^ : (|sem] |/3]) |/3] is the least strategy containing plays of the 

shape q- q-U\ - a- a where □ is a segment of alternating grab ■ ok and release ■ ok 
sequences. 

Equivalently, by Lemma 3, instead of ceW^ and lock)^ one can use the saturated 
strategies sat(cellf) and sat(lock)^). Therefore, the above definitions always lead 
to saturated strategies, i.e. morphisms of Gsat- 

3.7 Examples 

Example 1 (Nondeterminism). Let Mq,Mi : /?. Define Mger Mi : P as 

newvar x:=0in((a;:=0||x:=l); ifzero lx then Mg else Mi). 

This construction can be extended to var,sem using mkvar, mksem respec- 
tively, and to higher-order types using //-expansion. Then we have |Mg or Mi] = 
[Mg|U[Mi|. 

Example 2 (Test of linearity). Consider a term E \- M : P and an identifier 
s : sem. If s is initialized to 0 and not used elsewhere, then grab(s); M behaves 
exactly like M, but can be used at most once if passed as argument to a function, 
as in p : P ^ P' \- newsem s := 0 inp(grab(s); M). Observe that instantiating 
p to Ac:com.c;c or Ac:com.c||c will not lead to convergence and that the 
corresponding strategy has no complete plays. 

This construction can be extended to other types as in the case of or (Ex- 
ample 1) and plays an important role in the definability argument. 

Example 3 (Test of linear parallelism). The following term generates only non- 
alternating complete plays: 

p : comi — com 2 — comg h newsem si, Sr, s := 0 in 

p(grab(si); grab(s); grab(s)) (grab(sr); release(s); release(s)) : com 4 . 

They are generated, using saturation, by: run^ - run^ - run 2 - runi - ok 2 - ok\ - ok^ - okj^ 
in (|com|i |com |2 ^ Icomjg) — |com| 4 . Observe that instantiating p to 
Aci : com, C 2 : com.ci; C 2 leads to divergence and the corresponding strategy has 
no complete plays. However, we have convergence for Aci : com, C 2 : com.ci || C 2 . 

For many programming tasks it is well known that semaphores can be pro- 
grammed using shared variables only (e.g. the tie-breaker algorithms from [12]). 
However, such implementations have been defined with the assumption that the 
processes involved are distinct and can run different code. This does not seem 
uniform enough to program the behaviour required in Examples 2 and 3, where 
the competing threads are produced by the same piece of code. This apparent 
expressivity failure has motivated the introduction of semaphores as a primitive 
in our language. 
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4 Soundness and Adequacy 

Although C/sat can be shown to be inequationally sound, it is not fully abstract. 
As is the case for all game models, full abstraction will be proved for the quotient 
of t/sat with respect to the so-called intrinsic preorder. Fortunately, in our case 
the quotient turns out to have a more explicit representation based on complete 
plays (like for lA, but not PCF), which makes it easy to apply our model to 
reasoning about program approximation and equivalence. 

Let S be the game with a single question q and one answer a such that 
q\~s a (note that S is essentially the same as |com]). There are two strategies 
for U: the bottom strategy J-s and the top strategy T^: = {e,q,q ■ a}. The 
intrinsic preorder for saturated strategies on A is defined by ti < T 2 iff Va € 
Ssat(A, a) if Ti; a = T s then T 2 ; a = T For composition the strategies Ti : A 
are regarded as ones between 1 and A. 

Theorem 2 (Characterization). Let ti,T 2 be saturated strategies on A. ti < 
T 2 if and only if comp{Ti) C comp{T2). 

Because the quotient f/qsat = Gsat/ ^ has such a direct representation based on 
inclusion of complete plays, it is easy to see that it is also a wCPO-enriched 
category. The compact elements of f/qsat are precisely the equivalence classes 
[a]< such that comp(CT) is finite. Next we examine the theoretical properties of 
f/qsat^ soundness, adequacy and, finally, full-abstraction. 

For the purpose of relating our model with the operational semantics we will 
represent a state s : 27 — >• N by the strategy |s]^ : |0m] 

I/?!) |/3] generated from complete plays of the shape q ■ q ■ D ■ a ■ a where □ 

stands for a (possibly empty) sequence of segments of one of the following shapes: 
read ■ n, write{n) ■ ok, grab ■ ok or release ■ ok such that the projections onto 9i 
are of the same shape as those of suitably initialized (i.e. nt = s{li)) cell^. or 
lockf . strategies. We can think of |s],g as a “super-sequentialized” store, where 
individual cells and locks are accessed sequentially both individually and as a 
group. In what follows, |27 h M : /7J ; |s]^ will be the interpretation of S \- M : (3 
at state s. Recall that, by Lemma 3, the same result would be achieved by using 
sat(|s]^). 

Lemma 4. For any term E \- M : f3 and any any state s, if E \- M, s — > M' , s' 
then {Xx.M'l ; |s '],3 C {Xx.M } ; |s]^. 

Soundness then follows. 

Proposition 2 (Soundness). For any E \- M : j3 and any state s, if E \- 
M,s ff then |A£C.M] ; |s]^ ^ T. 

Our semantic model is adequate in the usual sense. The proof uses logical rela- 
tions, adapted to small-step operational semantics. 

Proposition 3 (Computational adequacy). For any program P, P (1 if and 

only if |P] T. 
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Fig. 1. Questions and justification pointers 



Together, the two propositions imply: 

Theorem 3 (Inequational Soundness). Let T h : 0 for i = 1,2. If 

|Mil < IM 2 ] then Mi M 2 . Equivalently, comp(|Mi]) C comp(|M 2 ]) implies 
Ml M 2 . 

5 Full Abstraction 

We give a direct recursive algorithm, called PROC^ , which, given a position s of 
|0] , returns a term of type 9 whose denotation is the smallest saturated strategy 
containing s. 

The basic idea of the construction is to use justification pointers to identify 
potential threads. If two moves are justified by the same move we can think of 
them as occurring in parallel threads spawned by the thread corresponding to 
the justifier. When constructing the term for the position we compose all these 
threads in parallel. Then we use specially designated side-effects as time-stamps 
to enforce the particular order of moves that happens in the position. Of course, 
we can only try to achieve this up to the saturation conditions. 

In order to generate the desired positions we need to control the way in which 
both P and O move. We control P-moves using guards that wait for special side- 
effects (time-stamps) caused by 0-moves. The effects take place only if a correct 
0-move is played and we make sure that they occur only once by using a fresh 
semaphore for each 0-move. This allows us to enforce arbitrary synchronization 
policies, restricting the order of moves present in the original sequence up to the 
reorderings dictated by the saturation conditions. Each 0-move Sj produces an 
associated time-stamp which is stored in a variable xj, bound by new at the 
top level and initialized to 0. We “time-stamp” the variable by assigning 1 to it. 
For 1 < j < |s| — 1, let Oj = { t G N I 0 < i < j, Si is an 0-move }. Let test = 
Aa; : exp. ifzero a; then skip else l7com- We define WAIT j as the guard which 
checks for time-stamps originating from all the 0-moves with indices smaller 
thanj: WAIT j = ■ ■ ; test(l— lajg;,), with Oj = {gi, . . . ,gk\- 

Below we give the definition of PROC~^{s : 9) for the case where 0 is gener- 
ated from com only (see also the example). The complete definition is available 
in [13]. 

PROC^ first calls PROC and then adds bindings to the term returned by 
PROC. The initial argument to PROC is the original position s. In the recursive 
invocations, the argument is a subsequence of the form s [ m, where t [ m is the 
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subsequence of t consisting of m and all moves hereditarily justified by m, always 
an 0-question. Note that consequently a move in t is answered in t if and only if 
it is answered in s. PROC uses indices relative to the original s; we write Si for 
the tth move of s, assuming sq initial. PROC{t : 6) where 6* = 6*i —>■ 

com is defined in two stages which manage 0-questions and P-answers, and 
respectively P-questions and 0-answers. If t is empty, Xpi ■ ■ -ph-^Bo is returned. 
Otherwise, let o = Si be the initial move of t (which is always an 0-question) . 

1 . Let Pi , • • • ,Ph be all the P-questions enabled by o (corresponding respec- 
tively to 01, • • • , 0^). Let fi < • • • < be the s-indices of all occurrences of 
Pi, • • • ,ph 'vat which are explicitly justified by Si (see Figure 1). Then PROC 
returns Api •• -p/i.(a;i := 1); (Pi II ••• \\Pm)\PANS'i°'^ wherePi,--- jP^are 
defined in 2. and PANS^°’°^ is either l7com (if Sj is unanswered in t) or 
WAITi' (if Si' answers Si in t). By convention, (Pi || ••• ||Pm) degenerates 
to skip for m = 0. 

2. Here we show how to define he terms Pj for 1 < j < m. Let us fix j and 

suppose that Si. = px {I < x < h) and 0a, = 0( 0(j —>■ com. Let 

oi , • • • , o„ be all the 0-questions enabled by Px (corresponding to 0( , • • • , 0(j 
respectively). 

For each k {1 < k < n) let jk,i < ■ ■ ■ < jk,mk be the s-indices of all 
occurrences of Ok in t which are explicitly justified by Si^ (see Figure 1). 

If irik = 0, then Pj = Otherwise, for all / = I,-- - ,mk we make the 
following definitions: Pj'’* = PROC{t \ Sj^ ^ : 0(.) and 

P/ = ONCE^.^^ [Pf’i] or • • • or [P^'^% 

where Wj^. ^ , . . . , Wj^. are fresh semaphore names. The construction or is 
defined as in Example 1, and ONCE^[M] = grab(w); M as in Example 2. 
Pj = WAITi.-{pxP} ■■■P^y, OANS'i°^ where OANSl°^ is skip (if s^ is 
unanswered in t) or Xc' '■= 1 (when Sc' answers Sc in t). 

After PROC{s : 0) returns Api • • -pk-M, all variables and semaphores {x-,W-) 
used in the construction of M must be bound at the topmost level (the variables 
x_ must be initialized to 0, the semaphores to 0) by taking 

Api • • -pfc.newvar x := 0 in (newsemtc := 0 in M). 

We denote the final term by PROC^{s : 0). 

Example 4- Consider the play 




0 1 2 3 4 5 6 7 




224 



D.R. Ghica and A.S. Murawski 



in arena |(comi — !> com 2 ) corns coni 4 ]. The term Xf.Xx.fx has this 

play among its complete positions. The term PROC^{s) is: 

Xf.Xa.newvarxo,X 2 ,X 4 ,XQ :=Oinnewsem W 2 :=0in 

xo ■■= 1 ; 

(( WAITv, fiONCE^, 1x2 ■■= 1; WAIT^])] xe := 1) 1 1 ( WAIT^- a; X 4 ■= 1)); 
WAIT 7 

Notice that the second argument a can be evaluated only after the first one 
(/) is, because of WAIT^. On the other hand, a must be evaluated before /’s 
argument because of WAIT 7 ,. The resulting temporal ordering of the moves is, 
consequently, the same as in /(a). 

Using PROC^ and or we can show the following result: 

Theorem 4 (Compact Definability). Any compact saturated strategy a, i.e. 
one generated by a finite set of positions, is definable. 

With adequacy and definability established, full abstraction follows routinely. 

Theorem 5 (Full abstraction). Let P h M,N : 6. Then |M] < |iV] if 
and only if M^gN. Equivalently, by the Characterization Theorem (Thm. 2), 
comp(|M]) C compdNf) if and only if 

6 Conclusion 

We have presented a fully abstract game model for a programming language 
with fine-grained shared-variable concurrency. We found that HO-style games 
are naturally suited to interpreting concurrency, and most of the technical com- 
plexity required for modeling sequential computation can be avoided. Therefore, 
we can give a direct definability construction, as opposed to the usual factoriza- 
tion method. 

In addition to its theoretical interest, our fully abstract model can be used 
to reason about program may-equivalence. We can make straightforward argu- 
ments about ground-type equivalences such as Brookes’s laws of parallel program- 
ming [1], or other typical second-order equivalences. In order for such arguments 
to be formalized, and even automated, it is necessary to find a concrete represen- 
tation of strategies, along the lines of [14]. For this purpose, the most convenient 
representations are those which are finite-state, such as regular expressions, reg- 
ular languages, labelled transitions systems, etc. Such a representation can be 
easily integrated in our ongoing research effort in game-based software model 
checking [15]. However, identifying a non-trivial fragment of this language for 
which the strategies are finitary is not straightforward. 

The main theoretical development which is required is adapting our model 
to dealing with mMst-equivalence, i.e. a notion of equivalence which considers 
not just termination but the full spectrum of observable behaviour: termination, 
failure and divergence. Must-equivalence has been studied using game semantics 
in the simpler setting of bounded nondeterminism by Harmer and McCusker [16], 
and some of their techniques may be applicable in our setting. 
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Abstract. In the literature there are several CCS-like process calculi differing in 
the constructs for the specification of infinite behavior and in the scoping rules 
for channel names. In this paper we study various representatives of these calculi 
based upon both their relative expressiveness and the decidability of divergence. 
We regard any two calculi as being equally expressive iff for every process in each 
calculus, there exists a weakly bisimilar process in the other. 

By providing weak bisimilarity preserving mappings among the various variants, 
we show that in the context of relabeling-free wad finite summation calculi: (1) 
CCS with parameterless (or constant) definitions is equally expressive to the 
variant with parametric definitions. (2) The CCS variant with replication is equally 
expressive to that with recursive expressions and static scoping. We also state that 
the divergence problem is undecidable for the calculi in (1) but decidable for 
those in (2). We obtain this from (un)decidability results by Busi, Gabbrielli and 
Zavattaro, and by showing the relevant mappings to be computable and to preserve 
divergence and its negation. From (1) and the well-known fact that parametric 
definitions can replace injective relabelings, we show that injective relabelings 
are redundant (i.e., derived) in CCS (which has constant definitions only). 



1 Introduction 

The study of concurrency is often conducted with the aid of process calculi. Undoubtedly 
CCS [9], a calculus for synchronous communication, remains a standard representative. 
In fact, many foundational ideas in the theory of concurrency have grown out of this 
calculus. 

Nevertheless, there are several variants of CCS in the literature. This is reasonable 
as a variant may simplify the presentation of the calculus or be tailored to specific appli- 
cations. Given two variants, a legitimate question is whether they are equally expressive. 
To answer this question one has to agree on what it means for one calculus to be as 
expressive as the other. A natural way of doing this in CCS is hy comparing w.r.t. some 
standard process equivalence such as (weak) bisimilarity: If for every process P in one 
calculus there is a process Q in the other calculus such that Q is (weakly) bisimilar to 
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P then we say that the second calculus is at least as expressive as the first one. Another 
legitimate question, given a variant, is whether some fundamental property such as di- 
vergence (i.e., the existence of divergent computations) becomes simpler or harder to 
analyze. 

In this paper, we study both the relative expressiveness w.r.t. weak bisimilarity and 
the decidability of divergence for various CCS-like calculi. We shall focus upon two 
sources of variation found in the CCS literature: The constructs used to express infinite 
behavior and the way in which scoping of channel (port) names is dealt with. As for the 
constructs for finite behavior, in all the calculi we confine our attention to prefix, finite 
sums, restriction, and parallel composition. The calculi here studied can be described as 
follows: 

- CCSk: Infinite behavior is given by a finite set of constant (i.e., parameterless) 

def 

definitions of the form A = P. The calculus is essentially CCS [9] with neither 
relabelings nor infinite summations. 

- CCSp: Like CCSk but using /parametric of the form A(a:i, • ■ • ,Xn) = P. 

The calculus is the variant in [10], Part I. 

- CCS I : Infinite behavior given by replication of the form IP. This variant is presented 
in [3]. 

- CCS^: Infinite behavior given by recursive expressions of the form pX.P as in [9]. 
However, we adopt static scoping of channel names in the sense discussed in [5]. 

In particular, we show that (1) CCSk is exactly as expressive as CCSp while (2) CCS^^ 
is exactly as expressive as CCSi. We use recent work by Busi et al. [3] to also state that 
(3) the divergence problem is undecidable for the calculi in (1) but decidable for those 
in (2). The results (1-3) are summarized in Figure 1. 

Also, as a consequence of (1), we prove that (4) injective relabelings, from the ex- 
pressiveness point of view, are redundant operators in CCS. More precisely, the behavior 
of any CCS process involving relabelings (all of them being injective) can be expressed 
up to strong bisimilarity by a CCSk process. Furthermore, we also illustrate that CCSk 
exhibits dynamic scoping of channel names and that it does not satisfy a-conversion. 
By dynamic scoping we mean that, unlike the static case, the occurrence of a name can 
get dynamically (i.e., during execution) captured under a restriction. 

Let us now elaborate on the significance and implications of the above results. A 
noteworthy aspect of (1) is that any finite set of parametric (possibly mutually recursive) 
definitions can be replaced by an also finite set of parameterless definitions using neither 
infinite summations nor relabelings. This arises as a result of the restricted nature of 
communication in CCS (e.g., absence of mobility). Related to this result is that of [9] 
which shows that, in the context of value-passing CCS, a parametric definition can be 
encoded using an infinite set of constant definitions and infinite sums. 

Regarding (1) some readers may feel that given a process P with a parametric 
definition D, one could simply create as many constant definitions as permutations of 
possible parameters w.r.t. the finite set of names in P and D. This would not work for 
CCSp; an unfolding of D within a restriction may need a-conversions to avoid name 
captures, thus generating new names (i.e., names not in P nor D) during execution. 

The interesting point about (4) is that injective relabelings are perhaps the most used 
kind of relabelings (e.g., injective relabelings are used in [9] to define linking operators. 
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Decidable 



Fig. 1. Classification of CCS variants. An arrow from X to Y indicates that Y is at least as 
expressive as X. (Un)decidability is understood w.r.t. the existence of divergent computations 



buffers, counters and stacks). In fact, [9] points out that the CCS laws for equational 
reasoning with injective relabelings as side conditions can usually be applied as one 
mostly works with this kind of relabeling. In the context of SCCS, another CCS variant 
where interaction is synchronous, idempotent relabelings are known to be redundant [8]. 
In fact, under some natural assumptions, the same holds for general relabelings in SCCS. 

Another noteworthy aspect of our results is the qualitative distinction between static 
and dynamic name scoping for the calculi under consideration. Static scoping renders 
the calculus decidable (w.r.t. the divergence problem) and as expressive as that with 
replication. In contrast, dynamic scoping renders the calculus undecidable and as ex- 
pressive as that with parametric definitions. This is interesting, since as we shall see, 
the difference between the calculi with static or dynamic scoping is very subtle. Using 
static scoping for recursive expressions was discussed in the context of ECUS [5], an 
extension of CCS whose ideas lead to the design of the rr-calculus [10]. 

It should be noticed that preservation of divergence is not a requirement for equality 
of expressiveness; weak bisimilarity does not preserve divergence. Hence, although the 
results in [3] prove that divergence is decidable for CCSi (and undecidable for CCSp), it 
does not follow directly from the arrows in Figure 1 that it is also decidable for CCS^. 

Finally, it is worth pointing out that, as exposed in [7], decidability of divergence 
does not imply lack of Turing expressiveness. In fact the authors in [2] show that CCSi is 
Turing-complete. But this does not imply that CCSi is equally expressive to CCSp either; 
the notions of expressiveness used in concurrency theory may not coincide with those 
in computability. For example, [11] shows that under some reasonable assumptions the 
asynchronous version of the rr-calculus, which can certainly encode Turing Machines, 
is strictly less expressive than the synchronous one. 

Overall, the general contribution of this paper is to provide and clarify some quali- 
tative and semantics distinctions among various CCS variants. 



2 CCS-Like Calculi 

We shall classify CCS-like calculi that differ in their way of specifying infinite behavior 
and name scope. Let us begin with their common finite fragment. 

In CCS, processes can perform actions or synchronize on them. These actions can 
be either offering port names for communication, or the so-called silent action r. We 
presuppose a countable set Af of port names, ranged over by a,b,x,y . . . and their 
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Table 1. An operational semantics for a process calculus 



SUM 






if j G I 



P P' 

RES if a 0 {a, a} 

P\a P'\a 



PARi 




PAR2 



Q 

P\\Q 




p ^ p' 

PWQ^P'W Q' 



primed versions. We then introduce a set of co-names Af = {a \ a G Af} disjoint from 
AA. The set of labels, ranged over hy I and T, is £ = A/” U JA. The set of actions Act, 
ranged over by a and j3, extends C with a new symbol r. Actions a and a are thought of 
as complementary, so we decree that a = a. We also decree that t = t. 

The processes specifying finite behavior are given by: 

P,Q...::=J2^^^a,.P,\P\a\P\\Q (1) 

Intuitively where / is a finite set of indexes, represents a process able to 

perform one-hut only one-of its a^s actions and then behave as the corresponding Pi. 
We write the summation as 0 if |/| = 0, and drop the ” if 1^1 = 1- The restriction 

P\a behaves as P except that it can offer neither a nor a to its environment. The names 
a and a in P are said to be bound in P\a. The bound names of P, bn{P), are those with 
a bound occurrence in P, and the free names of P, fn{P), are those with a not bound 
occurrence in P. Finally, P || <5 represents parallelism; either P or Q may perform an 
action, or they can also synchronize when performing complementary actions. 

The above description is made precise by the operational semantics in Table 1 . A 
transition P Q says that P can perform a and evolve into Q. 

In the literature there are at least four alternatives to extend the above syntax to 
express infinite behavior. We describe them next. 

2.1 Parametric Definitions: CCSp 

A common way of specifying infinite behavior is by using parametric definitions [10]. 
In this case we extend the syntax of finite processes (Equation 1) as follows: 

P,Q, ...:=... I A{yi,... ,j/„) (2) 

Here A{yi, . . . , j/„) is an identifier (also call, or invocation) of arity n. We assume that 
every such an identifier has a unique, possibly recursive, definition A(xi , . . . , x„) 

Pa where the xfs are pairwise distinct, and the intuition is that A{yi , . . . , y„) behaves 
as its body Pa with each yi replacing the formal parameter Xi. We denote by V the set 
of all definitions. We often use the notation x as an abbreviation of a;i , a; 2 , ■ • • ,Xn- 

Convention 1 (Finitary T>) Similar to [13], we shall require any process to depend 
only on finitely many definitions. Below we formalize this requirement. 
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Given A{x) = Pa and B{y) = Pb in V, we say that A (directly) depends on B, 
written A B, if there is an invocation B{z) in Pa- The above requirement can be 
then formalized by requiring the strict order induced by (the reflexive and transitive 
closure of to be well-founded. We also stipulate the following requirement. 

Convention 2 For each A{xi, . . . , x„) Pa, w require fn{PA) C {x\, . . . , x„}. 

We shall use CCSp to denote the calculus with parametric definitions with the above 
syntactic restrictions. The rules for CCSp are those in Table 1 plus the rule: 



PaIVI,--- ,yn/xi,... ,Xn]-^ P' 

CALL if A{xi ,Xn) = Pa (3) 

A{yi , ... ,yn) P' 



As usual P[yi . . . ynjxx . . . Xn] results from syntactically replacing every free occur- 
rence of Xi with Ui renaming bound names, i.e., performing name a-conversion, wher- 
ever needed to avoid capture. It follows from [10] that in CCSp we can identify process 
expressions obtained by renaming bound names (so P\a is the same as P[b/a]\b). We 
then say that CCSp satisfies name a-equivalence . 



2.2 Constant Definitions: CCS^ 

We now consider the alternative for infinite behavior given in CCS [9]. We refer to 
identifiers with arity zero and their corresponding definitions as constants and constant 
(or parameterless) definitions, respectively. We omit the “( )” in A ( ). 

Given A '*= P, requiring all names in fn{P) to be formal parameters, as we did for 
CCSp (Convention 2), would be too restrictive — P would have no visible actions. Con- 
sequently, let us drop the requirement in Convention 2 to consider a fragment allowing 
only constant definitions but with possible occurrence of free names in their bodies. The 
rules for this fragment, which we call CCSk, are simply those of CCSp. In this case Rule 
CALL (which for CCSk we prefer to call CONS) takes the form 

^ P' 

CONS if A = Pa (4) 

A^P' 

i.e., no a-conversion involved; thus allowing name captures. As illustrated in the next 
section, this causes scoping to be dynamic and a-equivalence not to hold. 



Relabelings. The reader familiar with process algebras may have noticed that CCSk 
is basically CCS except for the absence of relabeling. A relabeling / : Act Act 
is the identity for all but finitely many actions. Furthermore, / satisfies /(a) = /(a), 
/(a) f T and /(r) = t. For each action a performed by P, the relabeled process P{f) 
executes /(a). More precisely: 



REL 



P -^P' 

Pif) ^ P'if) 



* The relation is a preorder. By induced strict order we mean the strict component of 
modulo the equivalence relation obtained by taking the symmetric closure of 
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Remark 1. It is well known that the behavior specified by any process involving only 
injective relabelings can be equivalently specified (up to strong bisimilarity) by a relabel- 
ing-free process with the help of parametric definitions [12]. This is important since, as 
pointed out in [9], one usually works with injective relabelings. □ 



2.3 Recursion Expressions: CCS^ 

Hitherto we have seen process expressions whose recursive behaviors are specified by 
an underlying set of definitions. It is often convenient, however, to have expressions 
which can specify recursive behavior on their own. Let us now extend our set of finite 
processes (Equation 1) with such recursive expressions: 

P,Q,...:=...\X\fiX.P (5) 



Here ^X.P binds the occurrences of the process variable X in P. As for bound and 
free names, we define the bound variables of P, bv{P) are those with a bound occurrence 
in P, and the free variables of P, fv{P) are those with a not bound occurrence in P. 
An expression generated by the above syntax is said to be a process (expression) iff it 
is closed (i.e., it contains no free variables). The process p,X.P behaves as P with the 
free occurrences of X replaced by jiX.P applying variable a-conversions wherever 
necessary to avoid captures. The semantics pX.P is given by the rule: 



REC 



P[pX.P/X] 



flX.P 



( 6 ) 



We call CCS^ the resulting calculus. Erom [5] it follows that in CCS^ we can identify 
processes up to name a-equivalence. Eurthermore, we make a typical assumption on 
CCS^ process variables; they need to be guarded. We say that an expression is guarded 
in P iff it lies within some sub-expression of P of the form a.Q. 

Convention 3 (Guarded Recursion) We shall confine ourselves to CCS^ processes 
where all variables are guarded. 



Static and Dynamic Scope. An interesting issue regarding expression P[pX.P/ X] (cf. 
rule REC) is whether bound names in P should be renamed to avoid captures (i.e., 
name a-conversion). Such a requirement seems necessary should we want to identify 
processes up to a-equivalence. In fact, the requirement gives CCS^ static scoping of 
names. Let us illustrate this with an example. 

Example 1. Consider pX.P with P = (o || (a.6 || X)\a). Eirst, let us assume we 
perform name a-conversions to avoid captures. So, [pX.P/X] in P renames the bound 
a by a fresh name, say c, thus avoiding the capture of P's free a in the replacement: I.e, 

P[^xX.P/X] = (a II (c.6 II pX.P)\c) = (a || (c.6 || pX.{a || {a.b || A)\a))\c) 

The reader may care to verify (using the rules in Table 1 plus Rule REC) that b will not 
be performed; i.e., there is no pX.P Pi . . . s.t. = b. 
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Now let us assume that the substitution makes no name a-conversion. This causes a 
free occurrence of a in P (indicated by the dashed circle) to get bound, dynamically, in 
the scope of the outermost restriction: I.e., 

P[p,X.P/X] = (a II (d.b II p,X.P)\a) = (a || (a. 6 || p,X.{[a': || {d.b || X)\a))\a). 

The reader can verify that, in this case, b may eventually be performed. Such an execution 
of b cannot be performed by pX.Q where Q is (a || {c.b \\ ^)\c) i.e, P with the binding 
and bound occurrence of a syntactically replaced with c. This shows that name a- 
equivalence does not hold when dynamic scoping is used. □ 



Remark 2. It should be pointed out that using recursive expressions with no name a- 
conversion is in fact equivalent to using instead constant definitions as in the previous 
calculus CCSfc. In fact, in presenting CCS, [9] uses alternatively both kinds of construc- 
tions: using Rule REC, with no name a-conversion, for one and Rule CONS for the 

def 

other. For example, by taking A = P with P as in Example 1 one can verify that, 
in CCSk, A exhibits exactly the same dynamic scoping behavior illustrated by the ex- 
ample. So, name a-equivalence does not hold in CCS (exposing yet another semantic 
difference between CCS and the 7r-calculus as the latter uses static scoping and satisfies 
a-equivalence). □ 

2.4 Replication: CCSt 

One simple way of expressing inhnite behavior is by using replication. Although mostly 
found in calculi for mobility, replication has also been studied in the context of CCS [3, 
2]. In this case the syntax of finite processes (Equation 1) is extended with: 

P,Q,...:=...| !P (7) 

Intuitively !P behaves as P || P || . . . || P || !P; as many copies of P as you wish. 
We call CCSi the calculus that results from the above syntax. The operational rules for 
CCS| are those in Table 1 plus the following rule: 

p II ip p' 

REP 

!P P' (8) 

From [10] we know that CCSi processes can be identihed under a-equivalence. 



2.5 Summary of Calculi 

We described several calculi based on the literature of CCS. We have CCSp the cal- 
culus with parametric definitions and CCSk the calculus with constant (or parame- 
terless) dehnitions. We also have CCS^ the statically scoped calculus with recursive 
expressions — the dynamically scoped version instead coincides with CCS^. Finally, we 
have the calculus with replication, CCSi. 
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Convention 4 Henceforth, we use S to denote the signature {p, k, /r, !} of our calculi 
sub-indexes. We shall use a, a' , . . . to range over S. In the following sections, we shall 
index sets and relations with the appropriate symbol from S to make explicit the calculus 
under consideration. For example, — represents a transition ofCCS^. Similarly, we 
shall use ProCa to denote the set ofCCS^ processes. However, we may omit the indexes 
when these are unimportant or clear from the context. 



3 Expressiveness and Classification Criteria 

Here we introduce the means we shall use to compare and classify the various calculi. 

Comparing Calculi: Bisimilarity. We wish to compare the behavior of two given pro- 
cesses P and Q w.r.t. the standard notion of (weak) hisimilarity [9]. However, P and Q 
may belong to two different calculi, say CCS^ and CCSrj'. We then find it convenient 
to state the standard notion as below. First, recall that the converse of a binary relation 
S is 5“^ = {(e', e) | (e, e') € 5} 

Definition 1 (Bisimilarity). A relation S C ProCrj x ProCa' , with a, a' G S, is said 
to be a (strong) simulation iff for all (P, Q) G S: 

whenever P P' then, for some Q' , Q Q' cmd {P' , Q') C S. 

The relation S is called a (strong) bisimulation if both S and its converse are simulations. 
Furthermore, we say that P G Proc„ and Q G ProCg.' are strongly bisimilar (w.r.t., 
a and a'), written P Q (or simply P ^ Q), iff there exists a bisimulation S C 
ProCa X ProCa' , such that (P,Q) G S. The relation ~ is called (strong) bisimilarity. 

□ 

Let us now recall the weaker notion of hisimilarity which abstracts away from silent 
(i.e., r) actions. We need some little notation. Define ^4>,with s = ai.« 2 - . . . G C* , as 
(^4-)* (~^)* • • • (“^)* (~^)*- The notions of weak (bi)simulation and 

weak bisimilarity can be derived from the strong versions by replacing in Definition 1 
and ~ with and «, respectively (cf. [9, §7.1]). We can now make precise our 
criterion for expressiveness. 

Definition 2. We say that CCSa is as expressive as CCS^' iff for every P G Proc^, there 
exists Q G ProCrj! such that P and Q are weakly bisimilar (w.r.t. a and a' ). □ 

To prove equivalence on expressiveness, we shall provide (weak) bisimulation pre- 
serving mappings |-], which we call encodings, from the processes of one calculus into 
the processes of another. Some encodings will be chosen to preserve one further prop- 
erty: divergence. It should be noticed that unlike strong bisimulation, weak bisimulation 
identifies some divergent processes with non-divergent ones. Let us formalize the notion 
of divergence. 

Definition 3. We say that P is divergent (or that it diverges) iff P{—^)^, i.e., there 
exists an infinite sequence P = Pq — ^ Pi — ^ .... □ 
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Classifying Calculi: Decidability of Divergence. We shall classify the various calculi 
according to whether divergence is decidable for the calculus. By divergence being 
decidable for CCS^, we mean that there exists an algorithm which can fully determine, 
given P G ProCa, whether P is divergent. 



4 Encodings 

In this section we give the various encodings. Furthermore, in order to classify the calculi 
w.r.t. to the decidability of divergence, we shall also prove the relevant encodings to be 
divergence-preserving and computable. 



4.1 Encoding CCSp into CCSk 

Here we give an encoding |-] : CCSp — CCSk- For the sake ofpresentation, we consider 
only unary parametric definitions. The encoding can be easily generalized to the n-ary 
case by extending our concepts and definitions from names to vector of names. 

For simplicity and w.l.o.g we assume there is a definition of the form M^{x) 

P G Dp with not occurring in P and Dp being the finite set of definitions arising 
from the identifiers in P — think of as the “main” procedure of P. Formally, Dp is 
the set of definitions for the identifiers in the closure under ^ of {M^} (See Convention 
1 ). 

For the encoding we would like to associate to each process P in CCSp a process 
in CCSk substituting By for each invocation B{y) in P. How many invocations of this 
form should be considered? Given that CCSp satisfies a-equivalence, there is potentially 
an infinite number of such invocations — which means that a careful choice of names 
y is needed if we want to obtain a finite number of constant definitions. To complicate 
things further, rule CALL may force an a-conversion anywhere in the execution of a 
CCSp process. 

Instead of presenting the encoding mapping right away, we proceed in a stepwise 
fashion. We start with the set of all CCSk processes (because of a-conversions) that may 
be associated to a single CCSp process. In Def. 5, we identify sufficient conditions for 
subsets of those processes to define a good encoding into CCSk. Finally, we show a 
procedure to effectively construct such an encoding. 

Definition 4. The function'^'. CCSp — >■ P{CCSh) is inductively defined over the struc- 
ture of its parameter: 



P = 



{a.Q \QgP'} 

^ {Qi \\Q2\Q^eP^J^i = l,2} 

{Di^iai-Qi \ Qi G Pi , i G 1} 

{Q\/3 I BP' G Procp . P =a P'\/3 A Q G P'} 

, {^y} 



if P = 0 
if P = a.P' 

if P = Pi II P2 
if P = S^eicti-Pi 
if P = P"\a 

if P = My)- 



Example 2. If P = a. 6.0 -f B{h) then P is the singleton {a. 6.0 -f Bf\. 



□ 
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Example 3. If P = {z.x.O || x.O || A{z))\z then P contains (among many others) the 
elements {z.x.O || x.O || A^)\z and {y.x.O || x.O || Ay)\y. □ 

Remark 3. The definition ofT is invariant under a-conversions. More generally, it can 
be shown that P =„ Q iff P = Q. □ 

We now define |P] which requires specifying the set |Pp] of (constant) definitions 
induced by |P] . 

Definition 5. Given a process P G CCSp with associated definition set Dp, an encod- 
ing of P in CCS^ is defined as the CCS}, constant (called |P]) together with an 
underlying set of definitions |Pp], satisfying the following two conditions: 

(I) |Pp] contains a definition (M^ Po) for some Pq G P. 

(//) If (Ay = Qa) G |Pp], Pz occurs in Qa and (B{x) = Pp) G Dp , then there is 
Qb G P^x] s.t. (P, Qb) G iDpj. 

Wfe understand a set of definitions to contain at most one definition per process constant. 
A set of definitions satisfying conditions (I) and (II) is called an encoding set. □ 

Observe that, according to the definition, there are (infinitely) many encodings for a 
given process P. Not only can an encoding be extended with definitions and still remain 
an encoding, but also condition (II) allows for many different definitions for constant P^ . 
If, say, Qb, Q'b G Pb[z/x], then an encoding |Pp] may contain either the definition 
Pz '=^ Qb or the definition P^ Q'^ (but not both). 

The following lemma^ characterizes the shape of minimal encoding sets. 

Lemma 1. Given an encoding set |Pp], the set D = {(Ay Qa) G |Pp] | 
Qa G PaIvIxW, is an encoding set (included in |Pp]). □ 

Recall that Dp contains finitely many definitions. We shall show that an encoding 
can be effectively constructed (so that the resulting set of definitions |Pp] is also finite). 
First let us illustrate the construction with the following example. 

Example 4. Let P = A(x) with Dp = {^(x) (z.x.O || x.O || z4(z))\z}. We 
proceed to define an encoding by constructing a set |Pp] so that it satisfies conditions 

(I) and (II). To satisfy condition (I), let (z.x.O || x.O || Az)\z G |Pp]- Then, 

def 

condition (II) requires a definition such as: A^ = (zi.z.O || z.O II AzQ\zi G |Pp]. 
Notice that due to a-conversion in equation A^ we have obtained a new name zi and 
hence we have to give a new definition for A^^ . Of course because of the a-conversion 
we could have chosen another fresh name Z 2 , but that would only lead to a different but 

equally useful encoding. Using condition (II) again: (z.Zi.O II ^.0 II A,)\z G 

|Pp], and we are done; no other definition needs to be added to |Pp] . It is easy to 
check that the resulting set satisfies conditions (I) and (II), and therefore constitutes an 
encoding of P in CCSk. □ 

^ See [6] for the proof of the lemmas in this paper. 
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We now show that for any P, one can compute an encoding set |-Dp]. 

Theorem 1. For any P G CCSp with a finite set Dp of associated definitions, one can 
effectively construct an encoding set |-Dp]. 

Proof. Let Var(_Dp) bethesetofallthenamesoccurringinZ?p.Foreach2l(a;) ‘= Pa G 
Dp and each y G Var(Dp), choose a Pj so that P^ G PaIv/x]. Define S' = {Aj, 

P\ I {A{x) Pa) G Dp A y G Var{Dp)}. Notice that S is a finite set. Proceed 
by defining T = {z \ 3 constant B^. occurs in S A B^ is not defined in S}, and 

notice that iF is a finite set too. Observe that, for each definition A{x) Pa G Dp and 
for each y G T, the substitution Pa \y / x] requires no alpha-conversion. Consequently 
it is possible to choose G PA[y/x] so that for each constant Bz occurring in 
0 G (Var{Dp) U P). We have now a candidate Spp for the set of definitions in 
the encoding of P. It is simply defined as Epp = {Ay Pj( | {A{x) Pa) G 

Dp A y G {Var{Dp) U P)}. Since (Mf =*' Pq) G S C Epp, with Pq G P, our 
candidate set satisfies condition (I) in Def. 5. It remains to be shown that Epp also 
satisfies condition (II). Assume now that [Ay Qa) G Epp, that Bz occurs in Qa 
and that {B{x) Pp) G Dp. By construction, z G {Var{Dp) U P), and therefore 

def 

{Bz = Pp) G Epp. This shows that Epp satisfies condition (II). Therefore, our 
effectively constructed candidate Epp is indeed an encoding |Pp|. □ 

We now state the correctness of the encoding up to (strong) bisimilarity. The theorem 
actually says that parametric definitions are not more expressive than constant definitions. 

Theorem 2. Given a process P G CCSj, with associated set of definitions Dp, any 
encoding |P] with definition set |Pp] satisfies P |P]. □ 

Remark 4. It follows from Remark 1 and the above theorem that injective relabelings 
are redundant in CCS (up to strong bisimilarity). 

Now, [3] shows that divergence is undecidable for CCSp. Furthermore, we also showed 
that the above encoding is computable. Since divergence is invariant under strong bisim- 
ilarity, we can then conclude the following result. 

Theorem 3. The divergence problem is undecidable for CCSk- □ 

4.2 Encoding CCSk into CCSp 

Intuitively, if the free names are treated dynamically, then they could equivalently be 
passed as parameters. Thus, we can define the encoding as follows: 

Definition 6. Given P G CCS^ with a set of associated constant definitions of the form 

def 

A = Pa and given a strict total order over names, the encoding of P into CCSp is a 
process |P] with associated set of definitions 

|A(a:i, ... ,x„) IPa] \ {A Pa) G Dp A fn{PA) = {xi, . . . . 
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The encoding function |-] : Prock — 1- ProCp, which is an homomorphism overall other 
operators, satisfies |A] = A{x\, . . . ,cc„) where fn{PA) = {x\, . ■ . ,x„}. Both in 
definitions and in invocations, all lists of argument names are assumed sorted. □ 

(By homomorphism we mean that |-P || <5] = |P] || |Q] and similarly for the other 
operators.) 

The following theorem states that constant definitions with dynamic scoping are not 
more expressive than parametric definitions with static scoping. 

Theorem 4. For every process P in CCSk, [T*] P- □ 

4.3 Encoding CCS^ into CCSt 

The main idea behind this encoding is to associate a replicated process \x.P' to each 
occurrence of the recursion operator, p,X.P. In the past a similar approach has been used 
to show that, in the rr-calculus, recursion can be expressed using replication [13]. While 
in [13] each rr-calculus process and its encoding happen to be strongly bisimilar, this is 
not the case for CCS^^. Although in general a CCS^ process is only weakly bisimilar to 
its encoding, we show that divergence properties are always preserved. 

Our definition assumes that process variables are indexed by I, i.e. {Xi \ i G I}: 

Definition 7. Let |-] : Proc^ — >■ Proci be the encoding function that is homomorphic 
over all operators in the sub-calculus defining finite behavior and is otherwise defined 
as follows: 

|Ai] = ^.0 

IpXi.P] = (!a;i.|P] II x^.0)\xi 



where the names {xi \ i G 1} are fresh. □ 

The freshness condition on the variables Xi is meant to guarantee that every time we 
apply |P], P mentions none of them. 

Remark 5. The above encoding would not work had we adopted dynamic scoping in 
the Rule REC for CCS^ (see Remark 2). The p,X.P in Example 1 actually gives us a 
counter-example. □ 

The following example illustrates why a CCS^ process may not be strongly bisimilar to 
its encoding. 

Example 5. Consider the CCS^ process P = p,X.a.X with corresponding encoding 
|P] = {lx.a.x II x)\x. They are clearly not strongly bisimilar, as P has the single trace 
pX.a.X p,X.a.X p.X.a.X . . . while |P] only produces {lx.a.x || x)\x A^ 
{lx.a.x II a.x)\x A^ {lx.a.x || x)\x A^ . . . Observe that each transition in the first 
trace uses rule REC, and that every other step in the second one reflects explicitly, as an 
internal transition, each recursive call. □ 



In comparing CCS^ and CCSi, we find it convenient to consider yet another variant 
calculus, as an intermediate step, which we call CCSi-: Its syntax agrees entirely with 
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CCS^’s (i.e. ProCr = ProCfJ, and its semantics differs from CCSy^’s only by a replace- 
ment of REC with a rule in which the unfolding performs a t action — hence the name 
CCS^: 



REC’ = 

^iX.P P[^iX.P/X] 



Example 6. Consider process P as given in Example 5 but this time within CCSt (which 
is possible thanks to ProCr = Proc^). The only trace exhibited by P is: pX.a.X A,- 
a.{p,X.a.X) At pX.a.X At . . . and therefore P |P] . □ 

In fact, the property illustrated by the previous example holds in general, as stated 
in the following theorem. The proof is essentially an adaptation of the one given by 
Sangiorgi and Walker in [13]. 

Theorem 5. If P G CCSt, then P |P]. □ 

Because strong bisimilarity is known to preserve expressiveness and divergence, the 
above theorem lets us reduce the problem of studying the encoding to investigating the 
relation between CCSt and CCS^. 

We define a binary relation TZ G {Proc^ x ProCr) as follows: P 7^ Q iff there exist 
n > 0 such that P = Qo At Qi At ■ • ■ Qn = Q, where each derivation Qi At Qi+i 
involves the application of rule REC’. 

We show that besides being a weak bisimulation relation, TZ also relates processes 
with equal divergence properties. As a first step, notice that each A^^ transition can be 
mimicked by P-related processes in CCSt after possibly some r transitions (which 
correspond to recursive invocations involving rule REC’). 

Lemma 2. IfP TZ Q and P A^ P' then there exists Q' such that Q(At)* At Q' and 
P' TZQ'. □ 

Remark 6. Notice that we have restricted our attention to processes where all variables 
are guarded. Without this assumption divergence would not be preserved by our encod- 
ing. Eor example, pX.X diverges in CCSt but deadlocks in CCSy^. □ 

Lemma 3. If P TZ Q and there is a derivation ofQ At Q' which does not involve the 
application of rule REC’, then there exists P' s.t. P — P' and P' TZ Q' . □ 

To show that two identical processes, interpreted in CCS^ and resp. CCSt , are weakly 
bisimilar we need to show two simulations: One is provided by Lemma 2 and the other 
follows by a combination of Lemma 3 and the definition of TZ (to cover the case in which 
Q -^T Q' does use rule REC’). The result is summarized by our next theorem. 

Theorem 6. Given a process P in CCS^, P P. □ 

Observe that this is still not enough to show that TZ relates processes with the same 
divergence properties. If P TZQ and Q diverges. Lemma 3 is not strong enough to show 
that P may execute a single r transition. However, it turns out that Q cannot diverge by 
executing only recursive calls (again, a result of our assumptions on guarded summation 
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and guarded recursion; see Remark 6 and [6]). So, if after some finite execution trace, 
Q performs a r transition that does not involve REC’, we can apply Lemma 3 to deduce 
that P may also perform a r transition. Since this process can be repeated endlessly it 
must be concluded that divergence in CCSt- forces divergence in CCS^. The converse 
is an easy consequence of Lemma 2. That is, we have shown: 

Proposition 1. For P G CCS^, ijfP{^rT. □ 

Our journey from CCS^ to CCSi through CCS,- has rendered the following result. 
Corollary 1. For P G Proc^^, P |P]. Moreover, P diverges (j^|P| diverges. □ 

Prom the above corollary, the fact that the encoding is computable, and the result of 
[3] showing that divergence is decidable for CCSi we conclude the following: 

Theorem 7. The divergence problem is decidable for CCS^. □ 

4.4 Encoding CCSi into CCS^ 

Except for the syntax and our restriction to guarded recursion, this encoding is essentially 
that given in [13] for the 7r-calculus. 

Definition 8. Let |-] : Proc\ — >■ Proc^ be the encoding function that is homomorphic 
over all operators in the sub-calculus defining finite behavior and is otherwise defined 
as follows: |!P] = /i2f.(|P] || t.X). □ 

In fact, the proof of the following theorem follows that in [13]. 

Theorem 8. For P G Proc\, P |P]. □ 

Observe that, because of our restriction to guarded recursion, the encoding does not 
preserve divergence. Lor instance, if P =!0 then P is deadlocked in CCSq but 

IP] = pX.{0 II T.X) 4^ 0 II pX.{0 II T.X) 0 II 0 II ^iX.{0 II T.X) 4^ . . . . 

5 Concluding Remarks 

We studied the relative expressiveness (w.r.t. weak bisimilarity) and the decidability of 
divergence for some CCS-like calculi. The calculi differ on the constructs used to express 
infinite behavior and on the treatment of scoping of channel names; the finite core being 
the same. We showed that parameters can be removed from recursive definitions without 
loss of expressiveness provided dynamic name scoping is applied. We also showed that 
the expressiveness of recursive expressions with static scoping corresponds precisely to 
that of replication. We partitioned the calculi into two groups: Lor one, divergence is 
undecidable (i.e., constant and parametric definitions), whereas it is decidable for the 
other (i.e., replication and recursive expressions with static scoping). Eigure 1, in the 
Introduction, illustrates these results. 

As a consequence of our results, we proved that a substantial family of relabelings, 
the injective ones, is redundant in CCS (see Remark 4). We also showed that a slightly 
different interpretation of Rule REC, namely performing also name a-conversions in 
substitutions, can render decidable (w.r.t. divergence) an otherwise undecidable calculus 
(see Remark 2). We illustrated that CCS exhibits dynamic name scoping and that it does 
not preserve a-equivalence. 
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Related Work. Most of the related work was already discussed in the Introduction. The 
most closely related work is [3] which shows the (un)decidahility of divergence for CCSp 
and CCSi. Here we extend these results to the corresponding equally expressive calculi. 
The work on ECCS [5], perhaps the most immediate predecessor of the 7r-calculus, 
advocates static scoping of names. In contrast, the work on CHOCS [14] advocates 
dynamic name scoping in the context of higher-order CCS. Furthermore, the CCS variant 
in [10] uses statically scoped parametric definitions while the Edinburgh Concurrency 
Workbench tool [4] uses dynamic scoping for parametric dehnitions. 

The work in [1] shows that that in CCS, non-injective relabelings lead to a sensible 
different treatment of asynchrony w.r.t the injective ones. We believe that it would be 
interesting to investigate more qualitative distinctions for these two kinds of relabelings. 



Acknowledgments. We are indebted to Maurizio Gabbrielli, Jean-Jacques Levy, Sergio 
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Abstract. SAFeDpi is a distributed version of the Picalculus, in which 
processes are located at dynamically created sites. Parametrised code 
may be sent between sites using so-called ports, which are essentially 
higher-order versions of Picalculus communication channels. A host 
location may protect itself by only accepting code which conforms to a 
given type associated to the incoming port. 

We define a sophisticated static type system for these ports, which re- 
strict the capabilities and access rights of any processes launched by in- 
coming code. Dependent and existential types are used to add flexibility, 
allowing the behaviour of these launched processes, encoded as process 
types, to depend on the host’s instantiation of the incoming code. 

We also show that a natural contextually defined behavioural equiv- 
alence can be characterised coinductively, using bisimulations based on 
typed actions. The characterisation is based on the idea of knowledge 
acquisition by a testing environment and makes explicit some of the sub- 
tleties of determining equivalence in this language of highly constrained 
distributed code. 



1 Introduction 

In this paper we elaborate a theory of distributed systems which incorporates 
resource policies. Our main results are: 

— a language for distributed systems in which access to hosts by mobile code 
is controlled using capability-based types 

— a fine-grained type system using novel forms of dependent and existential 
types which gives hosts considerable flexibility in determining the allowed 
behaviour of incoming code 

— a coinductive characterisation of a natural contextual equivalence, based on 
the notion of typed actions. 

This is developed in terms of an extension of the language Dpi, [11,8,20, 
14], a version of the Picalculus, [21], in which processes may migrate between 
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locations, which in turn can be dynamically created. In this paper we make 
two extensions to Dpi. The first allows more control to locations over code 
which wishes to access their computation space. In SAFeDpi, the language of 
this paper, migration is represented by A:|gotOp LF] — l|p!(F)]. A thread must 
designate a port p a,t I in order to migrate. It then reduces to the system l|p!(F)], 
which a priori represents a thread running at location 1. However this thread will 
have no effect until the site I makes available a corresponding thread of the form 
llp7{x) Ql; using standard communication this will now allow the effective entry 
of F. In this manner, by programming the presence or absence of ports, the site 
I can control the immigration of code. 

Effectively we have replaced unconstrained spawning of processes at arbitrary 
sites by higher-order communication. Moreover these ports, higher-order chan- 
nels, have types associated with them. The types on ports are the second major 
extension to the language. In general we allow scripts, parameterised code, to 
be sent via ports. These take the form A(i : T)P where each Xi can be matched 
by arbitrary transmittable values] it is the types T^ which determine the nature 
of the abstraction. But when such a script is transmitted it may be instantiated 
at the receiving site by values of the appropriate type. This gives added security 
to sites by controlling the type at which scripts will be accepted. 

The most straightforward form of type for scripts is (i : T) -4 proc stating 
that, whenever a script of this type is instantiated with appropriate parame- 
ters, the result is guaranteed to be a well- typed process. But a priori there is 
no constraint on the resources it can use. To limit the access of incoming code 
to resources we introduce fine-grained process types, [23]. These dictate the ca- 
pabilities, on both local and third-party channels, which the code is allowed to 
access, and take the form of a record: pr[ci : Ciaki, ... ,c„ : C„afc„j. A process 
of this type can use at most the set of channels Cj, located respectively at the 
locations ki, with the capabilities Cp, in these process types the use of a local 
channel c is indicated by an entry of the form c : Cohere. 

When these process types are incorporated into script types a host location 
can have much more effective control over the behaviour of incoming code, par- 
ticularly when we use a form of dependent function type. For example suppose 
a port only accepts scripts at the type 

Fdep(x : r(T) — pr[a; : r(T)ohere, reply : w(T)ofc]) 

Then an incoming script can only be instantiated by a local channel, with read 
capability at type T. Moreover the resulting running code is now only allowed 
to read from this local channel and write to the third-party channel called reply 
located at the specific location k. With a port with the type 

Fdep(j/ : w(T)ofc — > pr[info : r(T)ohere, y : w(T)oA:]) 

the host can instantiate the incoming script with some channel located at the 
site k, on which it has write permission, and the running code is restricted to 
writing there, and reading from a local channel called info. 
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Note that in both these examples the location k is built into the script types. 
Thus a server with an access port at this type would only allow entry to scripts 
which guarantee to write only at k. However dependent types can be used to 
allow this target site to be parameterised. Consider: 

Tdep(z : L) Fdep(y : w(T)oz — pr[info : r(T)ohere, y : w(T)oz]) 

where the script type is now parametrised by locations of some type L. This 
allows the server to accepts scripts which can write the information at sites 
determined by the client. 

Although these dependent types add considerable flexibility to the interaction 
between clients and servers, they have potential drawbacks; the client has to send 
with the script the actual objects on which their type is parametrised. In principle 
this opens up the possibility of (rogue) servers abusing this extra information. 
However existential types provide extra protection to clients, because, as we will 
see, this extra information is not required as part of the communication. 

The language SAFeDpi is formally defined in Section 2, together with a re- 
duction semantics. In Section 3 we define the set of types and the type inference 
system. In Section 4 we develop a series of example systems. These are designed 
on the one hand, to explain the intricacies of the the type inference rules, and 
on the other to demonstrate the power and flexibility of the types. 

We now turn to the second main topic, typed behavioural equivalences. In 
untyped languages, these are normally defined coinductively, as the largest equiv- 
alences over processes which preserve some sort of labelled actions. Typically 
these actions describe the possible forms of interactions between a process and 
its environment. In a typed setting many of these actions will not be possible 
because a well-typed environment will not have the power to participate in them. 

Following [9,8] we introduce typed actions of the form I \> M I' [> M' 
where M is the system being observed while T is a constraint on the observing 
environment representing its knowledge of the system M. Actions change both 
the processes and the environment in which they are being observed. In Section 5, 
this will lead, in the standard manner, to a coinductively defined, bisimulation- 
based, characterisation of contextual equivalence between systems. The paper 
finishes, in Section 6, with conclusions and a brief survey of related work. Due 
to space limitations, the detailed definitions, the proofs and many examples are 
left to the full version [10]. 

2 The Language safeDpi 

Syntax: The syntax, given in Figure 1, is a slight extension of that of Dpi from 
[8]. It is explicitly typed, but for expository purposes we defer the description of 
types until Section 3. The syntax also presupposes a general set of channel names 
Names, ranged over by n,m, and a set of variables Vars ranged over by x^y. 
Identifiers, ranged over by u,w, may come from either of these sets. Patterns, 
ranged over by X,Y are tuples of variables. Names is partitioned into two 
sets. Logs ranged over by k,l, . . . for locations, and Chans ranged over by 
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M,N ::= 


Systems 


U,V,W ::= 


Values 




Located Process 


(v) 


Tuples 


M 1 N 


Composition 




Value components 


(newe : E) M 


Name Creation 


{Xx : f )P 


Scripts 


0 


Termination 


u 


Identifiers 



P,Q = 


Processes 






u\{V) 

u7{X : T) P 
goto„ v.P 


Output 

Input 

Migration 


P\Q 

Fiv) 
* P 


Composition 

Application 

Iteration 


if ui — U 2 then P else Q 
(newcc : C) P 


Matching 
Channel creation 


stop 


Termination 


(newregrt : N) P 


Global name creation 






(newlocfe: K)with(3 in P 


Location creation 







Fig. 1. Syntax of SAFeDpi 



a,b,c,... for channels. There is also a distinguished subset of channels called 
ports, and ranged over hy p, q, , which are used to handle higher-order values. 
Similarly we will sometimes use for variables which will be instantiated by 
higher-order values. 

The syntax for systems, ranged over by M, N, O, is the same as in Dpi, 
allowing the parallel composition of located processes ^IP], which may share 
defined names, using the construct (newe). The main novelty in SAFeDpi, over 
Dpi, is the construct, goto^ k.F. Intuitively this means: migrate to location k 
via the port p with the code F. Our type system will ensure that F is in fact a 
script with a type appropriate to the port p; moreover entry will only be gained 
if at the location k the port p is currently active. 

The various binding structures, for names and variables, give rise to the 
standard notions of free and bound occurrences of identifiers, a-conversion, and 
(capture-avoiding) substitution of values for identifiers in terms, P{|7«[1'; this is 
extended to patterns, P{|^/x|} in the standard manner, see [10]. 

In the sequel we use system to refer to a closed system term, that is a system 
term which contain no free occurrences of variables; similarly a process means a 
closed process term. 

Reduction Semantics: This is given in terms of a binary relation — ^ between 
systems and is a mild generalisation of that given in [8,11] for Dpi. The main 
novelty is that migration to a site I must designate a port p at which the migrating 
code is to be received. The rule fc|gotOpLF] — >■ /|p!(F)] then translates the 
migration command into the system /|p!(P)], which a priori represents a thread 
running at the target location 1. However this will have no effect until the site 
I makes available a corresponding thread of the form llp7(x) Q]; using another 
rule for local communication this will now allow the effective entry of F. In this 
manner the site I can control the immigration of code. 
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3 Typing 

In this section we discuss the types and type inference for SAFeDpi. There are 
three subsections. The first discusses informally the types used, which build on 
those in [11,8,23], while the second describes the type environments required to 
infer that systems are well- typed. 

The Types: The collection of types is an extension of those used in [8,11], to 
which the reader is referred for more background and motivation. They are only 
described informally here but the reader can consult the full version for more 
details [10]. 

Base types, ranged over by base: We include some predefined collection of types 
such as int, unit, bool, etc. for various constants in the language. We also 
include a top type t , which can be associated with any identifier. 

Local channel types, ranged over by C, D: These take the form 

r(T) w(T) and rw(Tr,T,i,) (when T„, <: T^) 

where T,Tr, T^, are transmission or value types; that is types of values 
which may be transmitted along channels. If an agent has a name at the 
latter type then it can transmit values of at most type along it and 
receive from it values which have at least type T^. When the transmit and 
receive types coincide we abbreviate this type by rw(T). 

Global resource name types, ranged over by N: These take the form rc(C), 
where C is a channel type. Intuitively these are the types of names which 
are available to be used in the declaration of new locations. 

Location types, ranged over by K, L: The standard form for these is written 
loc[ui : Cl, . . . , : C„] where are channel types, and the identifiers Ui are 

distinct. An agent possessing a location name k with this type may use the 
channels/resources Ui located there at the types C^; from the point of view of 
the agent, A: is a site which offers the services ui, . . . at the corresponding 
types. We abbreviate the trivial type loc[] as loc. We also identify location 
types up to reorderings. 

Process types, ranged over by tt. The simplest process type is proc, which can 
be assigned to any well- typed process. More fine-grained process types take 
the form pr[ui : Ciawi, ... , : Cnow„] where the pairs (ui,Wi) are assumed 

to be distinct and Com denotes the type of a channel of type C located at w. 
A process of this type can use at most the resource names Ui at the location 
Wi with their specified types C^; these types determine the locations at which 
the channels ut may be used. 

Script types, ranged over by S: The general form here is Fdep(i : T— >-7r). 
Scripts of this type require parameters (w) of type (T); when these are sup- 
plied the resulting process will be of type In these types we allow 

7T to contain occurrences of a special location constant here to denote the 
current location. These types will be abbreviated to (T — >■ tt) whenever the 
variables (i) do not appear in the process type tt. 
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Finally Transmission or Value types dictate the kind of values which can 
be transmitted over channels. These may be first order values, or scripts. We also 
allow dependent and existential types to be used. For example inputting a value 
of the dependent type Tdep(a; : K) S will result in the reception of a pair (fc, F), 
where F is guaranteed to be of type S{| Ya:|}; k is the witness that the script F has 
the required type, and is received with the script. On the other hand inputting at 
the corresponding existential type Edep(a; : K) S will only result in the reception 
of the value F, although, as we will see, when the overall system is typechecked 
the witness v must be produced, to verify that F is indeed well-typed. 

Type Environments: A type judgement will take the form F \- M where F 
is a type environment, a list of assumptions about the types to be associated 
with the identifiers in the system M . These can take the form u : E where E is 
one of loc, Caw, rc(C), Saw and (T with y : E). The last of these is constrained 
to the situation in which m is a variable and represents a package, which will be 
used to handle existential types. Intuitively this defines the association u : T but 
the type T may depend on the auxiliary associations y : E. Lists of assumptions 
are created dynamically during typechecking, typically by augmenting a current 
environment with new assumptions on bound variables. It is convenient to in- 
troduce a particular notation for this operation; let {V : T} be a list of type 
assumptions defined by 

— {t> : Cow} = V : Caw and {x : Sow} = x : Sow 

— {ti : loc[ui : C\, . . .Un '■ C„]} = v : loc , ui : Ciav , . . . : C„ov 

- {{y, x) : Tdep(Jj : E) T} = {yi : Ei} . . . , {y„ : E„}, {x : T} 

- {x : Edep(y : E) T} = cc : (T with {yi : Ei} . . . , {y„ : E„}) 

Of course there a lots of other possibilities for V and T but only those mentioned 
give rise to lists of assumptions. In order to describe the set of valid environ- 
ments we introduce judgements of the form F h env. The inference rules are 
straightforward and consequently are omitted in this extended abstract. We also 
omit the definition of subtyping judgements, of the form T h T <: U. Here it is 
worth noting that process types are ordered differently than location types. For 
example we have F h loc[t6i : Ci,rt 2 : C 2 ] <: loc[t6i : Ci] but 

F h pr[wi : Ciofc] <: pr[ui : Ciafc, U 2 ■ C 20 ?] 

assuming, of course, that the various types used are well-defined relative to F. 

Type Inference: We now describe the type inference system for ensuring that 
systems are well-typed. There are three forms of judgements, for systems, pro- 
cesses and values. The type inference rules for the first, F h M, meaning that M 
is a well-typed system relative to F, are straightforward adaptations from the 
analogous rules in [11,8]. The intention is that whenever such a judgement can 
be inferred it will follow that T is a well-formed environment. 

The typing rules for the judgements on processes and values, F \-„ P \ tt and 
F \- V :F , are defined simultaneously and we give the more interesting rules for 
these in Figure 2. 




SAFeDpi: a Language for Controlling Mobile Code 247 



(ty-TuDep) 

rh^vii Eif/4 
Fh^v: Tf/4 


(ty-EDep) 

P W : Eif/4 
Ph„«:Tr/4 


r (v, v) : Tdep(a; : E) T 

(ty-Elookup) 

F,y : (Tow with x : {E)aw),F' h env 


P hu, (w, v) : Edep(a; : E) T 

(ty-Unpack) 

P hu, (-0, v) : Edep(i : E) T 


r, y : (Tow with X : (E)ow), F' \-^ y -.T 


Ph„«:TfM 


(ty-out) 


(ty-outE) 


r l-„ F : T 


P \~ n , {v, v) : Edep{x : E) T 


F h pr[w : w(T)ow] <: tt 


P h pr[ri : w(Edep(a; : E) T)or 


F h prch[F : (T)ow] <: tt 


P b prch[0 : (E)ow] <: tv 


F u \{ V ) : 7T 


F u!(v) : TV 


(ty-in) 


(ty-subproc) 


F h pr[u ; r(T)ow] <: tt 


Ph„ P : TT 


r, {X : (T)ow| P : TT U prch[Y : (T)ow] 


P h TV <: tv' 


P uT{X : T) P : TT 


P P : tt' 




(ty-beta) 


(ty-abs) 


P P : Fdep(® : T — >■ 7t) 


P, {i : (t)ow| P : 7T{|™/hereJ 


F hu, Vi : Ti 


P A (a; : T). P : Fdep(a; : T — >• tt) 


P P (F) : 



Fig. 2. Selected rules for typing values and processes 



Let us first examine those for values. Dependent tuple values are typed with 
(ty-TuDep). The value (v,v) can be assigned the type Tdep(i : E) T provided 
each Vi can be assigned the type Ei{|’'/r|} ^nd v the type THY^I}. For existential 
types we need to invent a new kind of value (v,v); these do not occur in the 
language SAFeDpi, and are only used by the type inference system; intuitively 
{v, v) is a package consisting of the value v together with the witnesses v, which 
provide evidence (for the type inference system) that v has it’s required type. The 
rule (ty-EDep) allows us to construct such values and is similar to the rule for 
dependent tuples. Dependent tuples can be deconstructed and their components 
accessed in the standard manner. However the corresponding deconstruction for 
existential types only allows access to the final component, and not the witnesses; 
(ty-Unpack) allows the value, rather than the witnesses, to be extracted at 
the appropriate type from the package. Similarly (ty-Elookup) only allows 
knowledge of the value, and not the witnesses, to be deduced from an existential 
assumption. 

In typing processes, rules (ty-ABS) and (ty-beta) are standard rules for 
abstraction and application, adapted to dependent function types. But note the 
use of {x : (T)ow} in the premis of the former; the arguments in an abstraction 
are relativised to the current location w. However the real interest is in the 
typing of the input and output processes. For example to ensure u\{V) has a 
process type tt relative to T, (ty-OUt), we have to ensure that u has the output 
capability at some type appropriate to V. Thus we need to find some type T 
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such that y : T and u has the output capability on T. But we must 

also check that this capability is allowed by tt. Both of these requirements are 
encapsulated in the second premise of the rule F h pr[u : w(T)or(;] <: tt. But 
there is a further complication. If the value being sent, V , contains channels, or 
more precisely capabilities on channels, then these must also be allowed by tt. 
This is the intent of the third premise F h prch[y : Taw] <: tt, which uses a 
(partial) function which constructs a process type from a value V and its type; 
it essentially extracts out any channels which may be in V . 

The rule for transmitting existential values, (ty-OUtE) is a slight variation. 
We must establish a package {v,v) of the correct outgoing type, but only the 
(unpacked) value v is actually transmitted. Finally to ensure ul{X : T) P has 
the type tt, we need to check that u has the appropriate read capability, which 
also is allowed by tt, (premise F h pr[u : r(T)ow] <: tt) and that the capabilities 
exercised by the residual P are either allowed by tt or inherited by values which 
are input and bound to X, (premise F, {X : (T)ow} P : ttU prch[-^ : Tow] ). 

We conclude this section with the following theorem, which is proved in [10]. 

Theorem 1 (Subject Reduction). Suppose F h M. Then M — N implies 
F^ N. 

4 Examples 

In this section we demonstrate the usefulness of the type system by a series of 
examples of increasing sophistication. To make the examples more readable let 
us introduce some convenient notation. First we will abbreviate the transmission 
type unit-Yproc, for thunked processes, simply to thunk. Then we use run as an 
abbreviation for the term ^(), where () is the only value of type unit. So 
the type of run is thunk —> proc; it takes a thunked process and runs it. Thunked 
processes, which we often refer to as thunks, take the form A (). P but in the 
context of gotop. . . . and port outputs pl{. . .) we will omit the A abstraction; 
thus gotOj„ l.X (). P is abbreviated to gotOj„ l.P. Finally we mimic the notation 
of process types for thunks, by letting th[....] denote the type unit— k pr[....] 

Site Protection: A simple infrastructure for a typical site could take the form 

/i|in?(^ : I) * run ^ j S'] 

The on-site code S could provide various services for incoming agents, repeatedly 
accepted at the input port in. In a relaxed computing environment the type I 
could simply be thunk indicating that any well-typed code will be allowed to 
immigrate. In the sequel we will always assume that when the type of the port 
in is not discussed it has this liberal type. 

However constraints can be imposed on incoming code by only publicising 
ports which have associated with them more restrictive guardian types. In such 
cases it is important that read capabilities on the these ports be retained by 
the host. This point will be ignored in the ensuring discussion, which instead 
concentrates on the forms the guardian types can take. 
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Consider a system consisting of a server and client, defined below, running 
in parallel. 

Server: s|req?(^ : S) run ^ | * news!(scandoZ)] 

Client: CL|goto,,gq s.nevjsl{x) gotO|„ CL. report!(x) | in?(^ : R) run ^ | report?(y) . . .] 

The server is straightforward; it accepts incoming code at the port req and runs 
it. The only service it provides is some information on a channel called news. The 
client, who knows of the req port at the server sends code there to collect the 
news and report it back to it’s own channel report; the type at which it inputs 
from news, which obviously must be string, is elided. This code migrates twice, 
once via the port req from the client to the server, and once via the port in, from 
the server to the client. 

The server protects its site using the guardian type S while the client protects 
its site using R. What should these be? Let us assume that both sites have the 
required channels at appropriate types; that is suppose in T we have the entries: 
{news : rw(string)os, req : rw(S)as, report : rw(string)oCL, in : rw(R)oCL}. 

The first possibility is for the client to be relaxed but the server vigilant: 

R : thunk S : th[news : r(string)os, in : w(R)oCl] 

Here the client allows in any well-typed process, whereas the server will only 
accept at the port req processes which use at most the local channel news and 
the port in at the site CL; moreover the local channel news can only be used in 
read mode. With these types one can show that the overall system is well-typed. 

The current type R, i.e. thunk, leaves the client site open to abuse but it is 
easy to check that the above reasoning is still valid if the guardians are changed 
to 

R : th [report : w(string)oCL] 

Here the guardian for the client only allows in agents which write to the local 
port report; note that this change requires that the guardian at the server site 
also uses this more restrictive type in its annotation for the port in at CL. One 
can also check that with these new restrictive guardians the system is still well- 
typed. 

Dependent Process Types: There remains a major difficulty with the servers 
above. The guardian type of the server S uses the name of the client CL, and 
therefore it can only be used by that client. To overcome this difficulty and 
allow servers to be accessed by different clients we need to allow process types to 
depend on locations and channels by using the dependency type, Tdep(i : E) S. 
An example of the use of such types is in the following variation of the client 
server from above: 

Server: s|req?(^ with y : Sd) run ^ | * news! (scandaZ)] 

Client: CL|(newc report) (goto,.gq s.news?(x) gotO;,^ CL. report!(a:) with CL (1) 

I in?(^ : R)run^ | report?(y) . . . )1 



with the types 
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R : thunk Sd ■ Tdep{y : I) th[news : r(string)as, in : w(R)oy] I : loc[in : w(R)] 

Here the important point to notice is the server’s guardian type at the port req, 
Sd, no longer mentions any clients name; it can be used by any client which 
satisfies the types requirements. The server accepts a thunk, of type th[news : 
r(string)os, in : w(R)oy] which must be accompanied by a location of type I to be 
used in place of the variable y in S^. A typical client CL can generate a new reply 
channel report and send to the server the thunk news?(a;) gotOjn CL. report! (x) 
accompanied by a required location, in this case CL. 

The example we have just considered, (1), a priori leaves the clients insecure 
because of the use of the liberal type thunk for the clients guardian type R. But it 
can be generalised so that this guardian is strengthened, allowing in only threads 
which are going to write to the locally declared reporting channel. Here is one 
possible formulation: 

Server: s|req?(^ with (y, z, x) : Sd) run ^ | * news!(scandoZ)] (2) 

Client: CL|(newc report, in : rw(R)) (goto,.gq s.news?(x) 

gotOj,, CL. reportl(x) with (CL, report, in) | in?(^ : R) run ^ | report?(y) . . . ) 

Here a client generates a local channel report, whose type rw(string) we have 
elided, and a local port in whose declaration type is rw(R), where R is the more 
restrictive guardian type th [report : w(string)oCL]. In other words in has been 
specially created to restrict entry to processes which will only write on the newly 
created channel report. The client then sends the usual process to the server but 
now accompanies it with the triple (CL, report, in). 

The code for the server is the same except that accompanying the incoming 
thread it expects three values. Its guardian type Sd however is changed to 

Sd : Tdep(y : loc, Z : w(string)@y, X : w(th[z : w(string)@y])@y) 

th[news : r(string)os, x : w(th[z : w (string) ay] )oy] 

Here, once more, this guardian type does not mention any client names, but it 
allows clients to employ much more restrictive guardian types at their own sites. 
We leave the reader to check that this revised system can still be typechecked. 

Existential Process Types: The use of dependent script types has certain 
disadvantages from the point of view of the clients. For example in (2) above 
the client sends to the server, in addition to the script to be executed, the triple 
(CL, report, in). Although these are not used by the server we have defined other 
than as part of the received script, servers are in principle able to use them in 
any way they seem fit. An alternative server could be given by 

badServer: s|req?(^ with {y, z, x) : Sd) goto,j, y.z\{boring)\ (3) 

This rogue server does not run the incoming script to obtain the latest news; 
instead it uses the incoming accompanying values and sends directly to the client 
some boring data. 
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Existential types, Edep(i : E) S, allow the client to hide from the server the 
data which accompanies the incoming scripts. Let us now reformulate (2) above 
using existential types: 

Server: s|req?(^ : Se) run ^ | * news! (scandaZ)] 

Client: CL|(newc report, in : rw(R)) (gotO|.gq s.news?(a;) gotoi^ CL. report!(a;) 

I in?(^ : R) run^ | report?(j/) . . . )] 



Here the guardian type Se is 

Edep(y : loC,Z : w(string)oy, a; : w(th[2; : W (string) ay] )oj/) 
th[info : r(string)as, X : w(th[z : W (string) ay]) ay] 

The server is much the same as before except that it does not receive any pa- 
rameters with the incoming script. Similarly the client only sends the script. 

Now let us reconsider the badServer from (3) above. Using existential types 
this example might be written 

badServer: s|req?(^ : Sg) goto,^, y. 2 :!(&ormy)] 

But one can show that this no longer typechecks. The detailed type inferences 
as well as other examples are found in [10]. 

5 The Behaviour of safeDpi Systems 

In this section we investigate what might be an appropriate notion of semantic 
equivalence between safeDpi systems. We first propose what we believe to be a 
natural notion of contextual equivalence. Then, in the following sections, we give 
a coinductive characterisation using actions between configurations, consisting 
of safeDpi systems together with the environment’s current knowledge of the 
system. 

For notational convenience we limit ourselves to the case when the only 
transmission types allowed are of the form Tdep(a: : A) A, Tdep(i : A) S, or Edep(ai : 
A) S. Simple scripts may be simulated via the empty dependent type Tdep() S, as 
can simple first-order values, via the type Tdep() A. So our results can easily be 
extended to the full language. 



5.1 A Contextual Equivalence 

We intend to use a context based equivalence in which systems are asked to be 
deemed equivalent in all reasonable safeDpi contexts. What is perhaps not so 
clear here is the notion of reasonable context. In previous work on mobile calculi, 
[9,8,1], the equivalence took the form T \= meaning, intuitively, that M 

and N are indistinguishable in any context typeable by the typing environment 
r. Such equivalences, for Picalculus and Dpi, can be characterised inductively 
using actions of the form (T > M) (T' O M') where (T \> M), (T' \> M') 
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are configurations, consisting of systems M,M' and type environments r,F', 
representing the current knowledge of the testing context. In general such actions 
change not only the systems, M to M' but also the current knowledge, from F 
to F' , typically by adding new information. 

However, there are further subtleties which need to be considered in the 
current setting. We discuss this with a motivating example. 

Consider F = I : loc, 6 : rc(rw(unit)), a : rw(loc[& : rw(unit)])o^ and 

M = (newfc : loc[& : rw(unit)]) /|a!(fc)] | fc|6!()l 
N = (new k : loc[& : rw(unit)]) /|a!(fc)] | fc|stop] 

These two systems are well-typed with respect to F and should be considered 
equivalent under most reasonable notions of behavioural equivalence; it is impos- 
sible for a testing process to interact with M on 6 at k, even after the interaction 
on a at 1. Indeed, consider what form a test which could achieve this must take: 

- I l|a?(a;) goto? a;.5?()] 

It is clear that there is no port for the testing process to enter the location k on. 
Moreover, tests cannot be placed directly at k as k is only discovered through 
interaction. 

To sum up we would expect F \= M ~cxt Ff to hold, for an appropriate for- 
mulation of contextual equivalence for SAFeDpi. But a naive labelled transition 
system of the form discussed above would not distinguish them. It should be 
clear from this discussion then that in modelling behavioural equivalence in this 
setting, we must be aware of those locations at which we can, and can not, per- 
form tests. And this is not simply a question of which locations the environment 
has immigration rights for, via some port. 

Definition 2 (Knowledge structures). A knowledge structure is a pair 
(F,T), where 

— F is a type environment such that F h env 

— T is a subset of LOCS such that if k € T then k : loc € F 

We use X to range over knowledge structures and write Xp and Xj- to refer to 
the respective components of the structure. 



Definition 3 (Configurations). A configuration is written as X \> M where 

— X is a knowledge structure 

— there exists some A such that A h M , A <: Xp, and dom(Z\) = dom(Ir)- 



Definition 4 (Knowledge-indexed relations). A knowledge-indexed rela- 
tion over systems is a family of binary relations between systems indexed by 
knowledge structures. We write X \= MTZN to mean that systems M and N are 
related by TZ at index X and moreover, X\> M and I > TV are both configurations. 
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{Xi>klal{X-.T) PI) 
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a : w(T)oA; £ Xr 
Xr^kV:T 

{X > M) {Xt>M\ fcla!(y)l) 



k £ Xj- T a first-order type 



a : r(T)ofc G Xr 

Pr n {{i : T} h env 



{Xt>kla\{u)\)-*^^ 



(P n {m : T} I> fcjstop]) 



k G P 7 - T of the form Edep(a; : T) S 
a : r(T)ofc G Pr 

Pr L, G : T — ^ proc 



(P > fcIa!(P)I) (P > kfG (P)l) 



k £ Xj- T of the form Tdep(i : E) S 

a : r(T)ofc G Pr 

Pr n {-S : E} h env 
Pr h. G:T-» proc 

(P > kla\{{u, 7 ?))]|)iLArii^ 

(P n {u : E} > fcJG (u, P)l) 



k^Xr 

Xr h. y\iy) \ proc 

(P > M) (P > M I klp\{V)j) 



Fig. 3. Labelled Transition System Axioms 



We will use knowledge-indexed relations to propose a notion of behavioural 
equivalence appropriate to this setting. We do this in an established manner 
[12,6,9] by proposing that we consider the largest equivalence which respects 
reductions, a suitable notion of observation barb, and is closed under system 
contexts. We write '^cxt for the largest such relation. 

The quantification over all contexts makes reasoning about the equivalence 
virtually intractable. However it is common practice, [19,21,1,9,8], to provide 
some sort of model or alternative characterisation in terms of labelled transition 
systems, which makes the behaviour of systems much more accessible. In par- 
ticular if the actions in the labelled transition system are sufficiently simple this 
can lead to automatic, or semi-automatic verification methods. 



5.2 A Bisimulation Equivalence 

We first present the labels, or actions to be used in the labelled transition system. 
They are given by the following grammar: 

a ::= T I (h : E)gOpk.F \ (h : E)(m)k.a./3 (3 ::= VI \ V\ 

where it is assumed that k,a,p ^ n,rh. Most of these actions will be familiar to 
those familiar with Picalculus labelled transitions. The action gOpk.F repre- 
sents an attempt by the environment to enter location k on port p. The code to 
be deployed, if this attempt succeeds, is given by the script F. 

With this notation we define judgements of the form 



t> N) 



(4) 
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representing the effect of the system M performing the action labelled a, in an 
environment whose knowledge is I. This action changes the system, from M to 
N , and the knowledge, from X to X' . Typically this is an increase in knowledge 
of the testing environment of the system, represented as the change from the 
type environment, Xp to X'p. Consequently we need a notation for augmenting 
type environments. We extend that used in [8], by defining a partial binary 
operation T □ T' on lists of type associations. Intuitively this constructs a new 
list of associations by combining those in X and T'; if u happens to have a type 
in both, say E and E' then in the newly constructed list it will have the type 
E n E'; for the operation to be defined all such meets are required to exist. The 
details of the construction are omitted as it is only a mild generalisation of that 
from [8]. 

The axioms for the judgements (4) are given in Figure 3; these are based 
on the rules in Figure 10 of [8]. Further, structural rules are also required but 
the details are omitted here. The standard definition of bisimulation gives a 
coinductive bisimilarity relation over configurations: We write X \= M '^bis N 
whenever there exists some bisimulation TZ such that {X > M) TZ{X\> N). With 
this notation, we are able to compare bisimilarity directly with the touchstone 
behavioural equivalence «cxt which leads us to our second main result 

Theorem 5 (Full abstraction of '^bis for «cxi)- ^ \= M ~cxt N if and only 
^fX^M^b^sN. 

6 Conclusion 

We have developed a sophisticated type system for controlling the behaviour of 
mobile code in distributed systems, and demonstrated that, at least in principle, 
coinductive proof principles can still be applied to investigate their behaviour. 

The use of types in this manner could be considered as a particular case of 
the general approach of proof- carrying code, [18] and typed assembly language 
(TAX) [17]. Here hosts would publish their safety policies in terms of a type 
or logical proposition and code wishing to enter would have to arrive with a 
proof, which a typechecker or proofchecker can use to verify that it satisfies the 
published policy. Indeed we intend to use the types of the current paper in this 
manner, by extending the work in [20]. The work of [18] and [17] has inspired 
much further research into the use of type systems in higher-level languages 
for resource access and usage monitoring, [22], [13], for example. However the 
emphasis in these papers is on dynamics and counting of resource usage rather 
than using sophisticated types to specify fine-grained access control. 

There has been much work on modelling mobility and locations using partic- 
ular process calculi. Perhaps the calculus closest to safeDpi is the Seal Calculus, 
[5] . Seals are hierarchically organised computational sites in which inter-seal com- 
munication, which is channel-based, is only allowed among siblings or between 
parents and siblings. Seals may also be communicated, rather like the commu- 
nication of higher-order processes along ports in SAFeDpi; indeed in some sense 
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it is more general as the seal being transmitted may be computationally active. 
However the communication of seals is more complicated, as it involves agree- 
ment between three participants, the sender, the receiver, and the seal being 
transmitted. Seals are also typed using interfaces, similar to our fine-grained 
process types, tt. But these only record the input capabilities a seal offers to 
its parents, and in order to preserve interfaces under reduction the transmission 
of input channel capabilities is forbidden in the language. This is a severe re- 
striction, at least in general distributed computing, if not in the more focused 
application area of seals. For example the generation of new servers requires the 
the transmission of input capabilities. We believe that our dependent and exis- 
tential types can also be applied to the Seal Calculus, to obtain a more general 
notion of interface, which will still be preserved by reduction. 

Type systems have also been used to explicitly control mobility in distributed 
calculi, most notably in variants of the Ambient calculus of Cardelli and Gordon 
[3]. In particular, [2], [16] use subtyping to control movement of mobile processes 
in a hierarchically distributed system by introducing explicit types to express 
permission to migrate. A similar technique was used for Dpi in [11], [8]. In 
contrast, here we control mobility only indirectly through types. Code is always 
permitted to migrate provided it has access to a suitable port at the target 
location. But by restricting the use of channels in the types this consequently 
restricts migration. Indeed, we decouple permission to migrate from the location 
name itself, affording more flexibility in the control of migration. 

The coinductive characterisation presented here makes use of higher-order 
actions in the sense that, to interact with a system willing to send a script V, 
the environment must supply a receiving script G to which V will be applied. 
A similar approach is used in the characterisation theorems for various forms of 
ambients in [7] and [15]. Higher-order actions are also used in the bisimulation 
equivalence presented in [4] for the Seal calculus. However, there the three way 
nature of higher-order communication leads to a proliferation of such actions, 
some of which can not be simulated by seal contexts; see Section 4.4 of [5] for 
examples. As a result the bisimulation equivalence is more discriminating than 
the natural contextual equivalence for seals. 
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Abstract. We show that it is decidable in time complexity 2 
whether the language accepted by an n-state non-deterministic automa- 
ton is of star height one, which is the first ever complexity result for the 
star height one problem. To achieve this, we introduce distance desert 
automata as a joint generalization of distance automata and desert au- 
tomata, and show the decidability of its limitedness problem by solving 
the underlying Burnside problem. 



1 Introduction 

This paper is the second one in a series of papers in which we will introduce 
new models of weighted automata to solve important decision problems in the 
theory of recognizable languages. Our first main result states the first ever com- 
plexity bound for the “classic” star height one problem. “Classic” star height 
concerns rational expressions with union, concatenation, and iteration in con- 
trast to extended star height which also allows intersection and complement. 
To achieve this, we introduce distance desert automata as a joint generalization 
of K. Hashiguchi’s distance automata [3] and the author’s desert automata [5]. 
Our second main result is the decidability of the limitedness problem of distance 
desert automata which generalizes classic results by K. Hashiguchi, H. Leung, 
I. Simon, and the author [3,5,9,16]. We prove the decidability of the limitedness 
problem by a reduction to a Burnside problem which is solved by a fusion and 
further development of approaches by I. Simon, H. Leung, and the author [5, 
9,10,14,16]. 

2 Overview 

2.1 Preliminaries 

For sets M, we denote by V{M) the power set of M, and we denote by 'Pf(M) 
(resp. P„e(M)) the set of all finite (resp. non-empty) subsets of M. In the main 
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part of the paper, we fix some n > 1 for the dimension of matrices. Whenever 
we do not explicitly state the range of a variable, then it ranges over n}, 

e.g., a phrase like “for every i,j” is understood as “for every i,j € {1, • ■ • ,n}”. 



2.2 Distance Desert Automata 

A distance desert automaton {dd- automaton) is a 6-tuple [Q, E, I, F, , E~^] 
where [Q,E,I,F] is a non-deterministic finite automaton, E^ C E are called 
peages and E~^ C E are called water transitions. Let A = [Q, E, I, F, E^ , E'^] 
be a dd-automaton. Its language L{A) is defined as L{[Q,E,I,F]). 

Let 7T be a path in A. We denote by L\i(7t) the number of occurrences of 
peages in tt. We call tt' a subpath of tt if there are paths tti, tt 2 in A satisfying 
7 T = We denote by ^ 2 ( 71 ) the length of a longest subpath of tt which does 

not contain any water transition. The intuition behind these mappings is that 
we imagine tt as a path through a desert. We intend to walk along tt. Whenever 
we came along a peage, we have to pay a coin, i.e., is the number of coins 

which are required. We carry a water tank, but this tank does not last the entire 
path. Whenever we come along a water transition, we can fill up the tank, and 
the tank has to last until we meet the next water transition. We can understand 
Z\2(7r) as the required capacity of the tank to walk along the path tt. 

We define A{tt) = L\i(7t) -|- Z\2(7r). For every word w £ S*, let us set 
A{w) = min{Z\(7r) \ p £ I, q £ F, tt £ p ^ g}, where p ^ q denotes the set 
of all paths from p to q with the label w. A dd-automaton is limited if there is 
a d G N such that A{w) < d for every w £ L(A). 

If E~^ = E, then ^ 2 ( 71 ) = 0 for every path tt. In this case, A is a distance 
automaton. Consequently, K. Hashiguchi’s distance automata [3] are exactly 
the dd-automata with E^ = E. 

If E^ = 0, then Ai(7t) = 0 for every path tt, i.e., A is a desert automaton. 
Thus, the author’s desert automata [5] are exactly the dd-automata with E"^ = 0. 

A main result of the present paper is the following theorem: 

Theorem 1. It is decidable in time complexity ^ whether an n-state dis- 
tance desert automaton is limited. 

Theorem 1 includes the decidability of the limitedness problems for distance 
automata [3,9,10,16] and for desert automata [5]. 

In Section 3, we reduce the limitedness problem for dd-automata to a Burn- 
side problem. This Burnside problem is a joint generalization of the two Burnside 
problems corresponding to the limitedness problems of distance (resp. desert) 
automata [10,5]. It is solved in Section 4. 

The limitedness problem for dd-automata is PSPACE-hard, because it is 
PSPACE-complete (resp. PSPACE-hard) for distance (resp. desert) automata 
[11,5]. It is undecidable whether two dd-automata define the same mapping, 
because the same problem is already undecidable for distance automata [8]. 

As an application of Theorem 1, we show in Section 5 the following theorem: 
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Theorem 2. It is decidable in time complexity 2 whether the language of 
an n-state non-deterministic automaton is of star height one. 

The decidability was shown by K. Hashiguchi in 1982 [4]. However, the com- 
plexity which can be estimated from his paper is much larger [12, Annexe B]. 



3 An Algebraic Framework for the Limitedness Problem 

We develop an algebraic framework to show the decidability of the limitedness 
problem for dd-automata. Let A = [Q, A, /, F, be a dd-automaton, let 

n = IQI, and assume Q = {1 , . . . , n}. 



3.1 Finite Semigroup Theory 

We introduce some basic notions from finite semigroup theory. For a deeper 
understanding, we refer the reader to, e.g., [13]. Let S' be a finite semigroup. An 
element 1 G S is called an identity li \p = p\ = p for every p G S. If there is no 
identity in S, then we denote by S^ the semigroup consisting of the set S U 1, 
on which the operation of S is extended in a way that 1 is the identity of S^. 
If S has an identity, then we define S^ to be S. 

Let a, 6 G S. If a G S^bS^, or equivalently if S^aS^ C S^&S^, then we write 
a <j b. If a <j 6 and b <j a, or equivalently if S^aS^ = S^bS^, then we write 
a ^ b. The relation ^ is an equivalence. Its equivalence classes are called J- 
classes. We call some subset / C S an ideal if S^IS^ C S. Every ideal is a union 
of J-classes. 

Let a, 6 G S. If a G S^b, or equivalently if S^a C S^b, then we write a <l b. 
If a <L b, then ac <l be for every c G S. If a <l b and b <l a, or equivalently 
if S^a = S^b, then we write a =l 6. We define the relations <r and =r in the 
straightforward dual way. 

An element e G S is called an idempotent if = e. An element a G S is 
called regular if there is an idempotent in the J-class of a. The sets of idempotents 
(resp. regular elements) of S are denoted by E(5') (resp. Reg(S')). 

For every m > 1, we call oi, . . . , G S' a smooth product if we have Oi =3 
. . . =3 a^Yi =3 (ui . . . ttrn) Reg(S). 

We call a mapping H : E(S) — >■ E(S) consistent if we have for every e, / G E(S), 
a,b & S satisfying e ^ / and / = aeb, /** = ae^b. It is shown in [5] that a 
mapping is consistent iff we have for every a, 6 G S with 6a G E(S) (a6)® = 
a{ba)^b. It was already observed in [9] that every consistent mapping j) admits 
an extension to jl : Reg(S) — >■ Reg(S) by setting for every e G E(S) and c, d G S 
satisfying e =3 ced, (ced)** = ce^d. 

If a, 6 G S are a smooth product, then {abY = a** 6* = a**6 = ab^ [5]. 

Let a G Reg(S). There are e, / G E(S) with e =r a =l /, i.e., ea = a = af. 
Thus, e^a = = af^, and moreover a** <l a and a** <r a. 
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3.2 The Semigroup of Word Matrices 

We extend the notion of word matrices from [5]. We consider the alphabet 
S = {Y,/K\,Z,2f}. The symbol Y (resp. /K\, Z) should be pronounced “water” 
(resp. “desert”, “peage”). The words over S represent paths in desert automata. 
Consider the semiring S = (P/(S'+) U {w}, U, •), where w is a new element 
and U and • are extended from by setting for every X G S \ {0}, 

uj ■ X = X ■ oj = uj, u)\JX = X\Jlo = X, and further, 0 • w = w • 0 = 0, 
0Ua; = a;U0 = a'. The natural ordering on S is set inclusion extended from 
Vf{S^) in a way that w is between the empty set and the singletons, i.e., we 
have 0 C w C X. 

We call the matrices over S word matrices and denote by S„xn the semigroup 
of nxn-matrices over S. We use the free semigroup §nxn- We denote 

the homomorphism which arises from the identity on letters by a : Snxn- 

3.3 On the Semantics of Distance Desert Automata 

We give another method to define the semantics of dd-automata using matrices. 
We define a mapping 9 : E ^ S, hy 

{ /K\ if e ^ e ^ E^, 

Y a e€ E"^,ei E^, 

Z ife<^E\eGE^, 

Z if e G e G E^. 

This mapping extends to a homomorphism 6 : (Vf{E^),U, •) — >■ (S, U, •). We can 
assign every w G 27+ a matrix 9{w) G S„xn by setting 9{w)[i,j] = 6{i j). 

Clearly, 9 : 17+ — >■ S„xn is a homomorphism. The distance function A on paths 
from Section 2.2 induces a distance function on S'+ as 

Z\(7t) = |7t|z + |7r|2f + max{ |7t'| | tt' G {/X\, Z}*, tt' is a subword of tt } 

for every tt G 5'+, where |7t|^ (resp. denote the number of occurrences of 

Z (resp. Z) in tt and |7t'| denotes the length of tt'. We extend Z\ to A G S by 
setting A{X) = min{ A{tt) | tt G A }, if A yf w and A{u;) = u>. 

We can give another definition of the semantics of a desert automaton. For 
w G A+, let A{w) = min{ A(^9{w)[i, j]) 1 1 G /, j G F }. This is equivalent to 
the definition in Section 2.2 up to the empty word. 

3.4 The Distance Desert Semiring 

Let S = {Y, /a, Z, w, oo}. Intuitively, Y represents a path with a water transition 
but without peage, /X\ represents a path without a water transition and without 
peage, and Z represents path with a peage, regardless of whether it contains a 
water transition. We define on S an operation • as the maximum for the ordering 
/K\CYZZCu;Coo. The operation • corresponds to the concatenation of 
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paths, e.g., /X\ • Z = Z means that the concatenation of a path without a water 
transition and without a peage and a path with a peage yields a path with a 
peage. Clearly, (5, •) is a monoid with identity /X\ and zero oo. 

We define min on S for the ordering Y < fA < Z < uj < oo. The relation < 
represents something like choice, e.g., Y < /X\ means that we rather choose a path 
with a water transition but without a peage than a path without water transition 
and without peage. The operation • is stable w.r.t. <. Moreover, (5, min,-) is a 
semiring with zero oo and identity /A. 

Let If' : S' —1 5 be the mapping defined by !f'(Y) = Y, ^{/A) = /A, and 
if'(Z) = If'(Z) = Z. It extends to homomorphisms S' : (S"*",-) — >■ (S, •) and 
If' : (S, U, •) — >■ (S, min, •) where ^^(0) = oo and If'(aj) = to. For every Ai G S, 



Y 



nx) = { 



/A 

Z 



LO 

OO 



if X contains a word tt G {Y,/X\}* Y {Y,/A}* 
if AT contains a word 7T G but X fl {Y, /X\}* Y{Y, /X\}* = 0 
if X contains a word tt G S*{Z,Z}S*, but X fl {Y,/)(\}''" = 0 
if AT = w 
if X = 0. 



Clearly, S' extends to a homomorphism S' : S„xn — ^ S„xn- 

For technical reasons, we need a more specific distance function on S. For 
every X G S and z G {Y,/X\,Z}, let A{X,z) = min{Z\(7r) | tt G X, !f'(7r) = z}. 
For every z G {Y, /A, Z}, we have L\(w, z) = Z\(0, z) = oo. For X G S \ {0}, let 

, fz\(X,tf'(X)) ifXGS\M 

^ if X = w 



For every X G S\{w, 0}, we have A{X) = min{z\(X, z) zG {Y, /A, Z}} < A'{X). 



3.5 Strange Limits 

We generalize the notion of a ^ -limit from [5]. A iF-limit of some sequence over 
S describes in terms of S how the sequence is bounded. 

Recall that some sequence {qk)k>i is a subsequence of {pk)k>i if there is a 
strictly increasing mapping / : N — 1 N such that qk = Pf{k) for every fc > 1. 

A sequence {xk)k>i G (N U {oo}) is said to be bounded, if there are l,K > 1 
such that Xk < K for every A: > f It tends to infinity, if for every X > I there 
is some I > I such that for every k > I we have Xk > K. 

Let (Xfc)fe>i G S be a sequence. We define the iF-limit W of {Xk)k>i- 

LI. If there is an I > 1 such that Xk = 0 for every k > I, then 'F{Xk)k>i = oo. 
In this case, we call {Xk)k>i an oo-sequence. 

For every z G |Y,/X\,Z}, we denote the sequence {A{Xk, z))k>i by A{Xk, z)k>i- 
Assume that there is some I > 1 such that Xk fi- 0 for every k > 1. In this case, 
we cannot apply (LI) to {Xk)k>i, and we define: 

L2. Let z G {Y,A\,Z}. If A{Xk, z)k>i is bounded, and if for every z' < z the 
sequence A{Xk, z')k>i tends to infinity, then 9{Xk)k>i = z. 
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L3. If for every z G {Y,/X\,Z}, the sequence A{Xk,z)k>i tends to infinity, then 
'^{Xk)k>\ = w. 

If we can apply one of these three definitions to a sequence {Xk)k>ii then we 
call {Xk)k>i a convergent sequence. Otherwise, 'P{Xk)k>i is not defined. We 
denote the set of all convergent sequences by £(S). Every sequence contains a 
convergent subsequence. Every constant sequence {Xk)k>i is convergent and we 
have 'I'{Xk)k>i = For sequences over S, we define U and • componentwise. 

Lemma 1. [6] 1. Every subsequence of a convergent sequenee is convergent and 
converges to the same E-limit. 

2. The set of convergent sequences is closed under componentwise U and ■, 
and E : (£(S),U, •) — >■ (5, min,-) is a homomorphism. 

The notion of a !f'-limit and a convergent sequence extends naturally to matrices. 
By Lemma 1(2), E : £(S„xn) Snxn is a homomorphism. 

For every subset T G S„xn we denote by E{T) the set of all if'-limits of 
all convergent sequences over (T). We have E{{T)) C E{T). We formulate the 
limitedness problem using ^'-limits. 

Proposition 1. [6] Let A = [Q, E, /, F, he a dd-automaton and denote 

T = 6{E). The following assertions are equivalent: 

1. A is not limited. 

2. There is a matrix a G E{T) such that min{ a[i,j] | i G /, j G F } = ui. 

To give an algorithm for the limitedness problem, we need a method to compute 
the finite set E{T) while avoiding to compute the possibly uncountable set €(T). 



4 The Solution of the Burnside Problem 

We solve the Burnside problem by showing a method to compute the set E{T). 
We fuse the approaches of H. Leung [10] and the author [5] to the Burnside 
problems corresponding to distance resp. desert automata. Several new difficul- 
ties arise in this fusion, and our proof is more than just a combination of [10] 
and [5]. By following [5,10], we use implicitly ideas from I. Simon. This section 
is a composition of ideas from H. Leung, I. Simon, and the author [5,9,10,14, 
15,16] together with new ideas. 



4.1 Stabilization 

We define a mapping H : E(5„xn) Snxn which we call stabilization. For every 



e‘*[f,j] = 



) and let 






(X) 


if e[i,j] = oo 


(1) 


min{e[f,/]*e[/,/]*e[/,j] = y} 


if there is some 1 




such that e[l,l] = Y and 
e[i,l\,e[l,j] G {Y,/X\,Z} 


(2) 




UJ 


otherwise. 


(3) 



We state some elementary properties of this mapping. 
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Remark 1. Let e G E(5„xn) and i,j,l be arbitrary. 

1. Assume e[i,l] = and e[l,l] = Y. Then, e^[i,l] = Y but e[i,l] = /A, i.e., 
e ^ E(iS„xn)- Thus, such i and I cannot exist, and similarly, it is impossible 
that e[l,l] = Y and e[l,j] = fA. 

2. We have e^i,j] /K\ by the definition of eK Moreover, we have e'^[i,j] = oo 
iff e[i, j] = oo. 

3. We have e[i,j] = e^[i,j] < e^[i,j]. 

4. If e[/, 1] = Y, then we have e^[l, /] = Y by definition. 

5. Assume e[i,l] G {Y,Z} and e[l,l] = Y. Then, e^i,l] = e[i,l]. Similarly, if 
e[l,l] = Y and e[l,j] G {Y,Z} then e'^[l,j] = e[l,j]. 

Now, we state the main result of Section 4. For subsets M C 5„xn we define 
(M)® as least subset of 5„xn which contains M and is closed both under matrix 
multiplication and stabilization of idempotent matrices. 

Theorem 3. Let T be a finite subset o/S„xn- We have W{T) = 

Until Theorem 3 is proved in Section 4.5, we need to establish relations 
between stabilization and iF-limits. 



4.2 Stabilization Is a Consistent Mapping 

We establish a first connection between stabilization and iF-limits of sequences. 

Proposition 2. [6] Let {Atf)k>i be a convergent sequence over S„xn let 
e = iF(Afc)fc>i G E(<S„xn)- Then, (A^)fc>i is convergent and <F(A^)fc>i = eK 

The proof is technically involved. It follows the same strategy as the proof of 
the corresponding proposition in [5] . Our next step is to generalize stabilization 
from E(5„xn) to Reg(5„xn): 

Lemma 2. Stabilization jl zs a consistent mapping. 

Proof. Let e G E(5„xn)- Let E G S„xn with L'{E) = e. By Prop. 2 and Lemma 1, 
e«e» = W{E>^)k>iW{E>^)k>i = W{E>^E%>i = W{E%>i = e«, i.e., e# G E(5„x„). 
Let a,b € S„xn with ab,ba G E(5„xn)- Let A, B G S„xn with a = T{A), 
b = T{B). Then, (ab)'^ = E{{AB)^)k>i = aE{{BA)'^)k>i b = a{baYb. 

Lemma 2 gives a generalization of stabilization to Reg(5„xn) (cf. Section 3.1). 
We show three crucial lemmas about stabilization of regular matrices in Snxn- 

Lemma 3. Let a G Reg(5„xri) and i,j be arbitrary. 

T If a[i,j] G {w,oo}, then a^[i,j] = a[i,j]. 

2. Lf a[i,j] = Y, then a^[i,j] G {Y,Z,u;}. 

3- If a[i,j] G {/X\,Z}, then af[i,j] G {Z,w}. 

In particular, we have a'^[i,j] yf /A regardless of a[i,j]. 

Proof (sketch). Let e G E(5„xn) with e =l a, i.e., a = ae, = aeK The proof 
follows by an examination of the product a e** and Remark 1 . 
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The following lemma is an easy adaptation of Lemma 3.9 in [10, p. 107]. 

Lemma 4. [6] Let a,b,c € Snxn be a smooth product and let i,j such that 
{abc)^i,j] = Z. There are p,q such that we have a[i,p], c[q, j] G {Y,/X\,Z} and 
b[P^ 9 ] = 9 ] = Z. Moreover, we have a[i,p] = A or c[q,j] = Z. 

Lemma 5. Let m > 1, a\,...,am S Snxn be a smooth product. Let i,j be 
arbitrary. 

1. If (oi . . . am)'^[i,j] = Y, then there are i = io, . . . ,im = j , such that for every 

1 < I < m, we have ai[ii-i,ii] = = Y. 

2. If (oi . . . am)'^[i,j] = Z, then there are i = io, . . . ,im = j such that for every 

2 < I < m-l, ai[ii_i,ii] = af[z;_i,z;j = Y, and ai[zo, *i], am[*m-i, *m] G 
{Y,/K\,Z}. Moreover, ifm>3, then ai[io,Zi] = Z or Om[zm-i) *m] = 

Proof. (1) Since j] is consistent, (oi . . . Om)** = a\ . . . a^n- By a} . . . a^[i,j] = Y, 
there are i = io, . . . ,im = j such that for every 1 < ^ < to, aj[zi_i, zj] G {Y, /K\}. 
By Lemma 3, a;[z;_i,z;] yf /K\, i.e., we have for every 1 < Z < to, a;[z/_i,z/j = Y. 
By Lemma 3 in contraposition, we have ai[ii-i,ii] = Y. 

(2) We assume to > 3, otherwise, the claim is obvious. We apply Lemma 4 
to the smooth product 01(02 . . . am-i)am, and (1) to 02 . . . am-i- 

4.3 On the Growth of Entries 

We call a word w = Ai . . . A\ni\ G ^ smooth product if T'{Ai ), . . . , 

is a smooth product. We extend the mapping A. For a matrix A G S, a word in 
resp. a finite subset T C ^ yields the maximum among the values 

on every entry of A, of every letter in w of every word w G T except uj and 00 . 

1. For A G S„xn, let A{A) = ^(^[bj])- 

2. For w = Ai . . . ^|i„| G S+x„> let A{w) = max,g{i,.,„|„|} A{Ai). 

3. ForT= {zz;i,...,z<;|T|} C S+,,„, let Z\(T) = max;g{i_ ,jt|} 

We extend A' from Section 3.4 in the same way. 

Proposition 3. Let w G S[txn ® smooth product and i,j be arbitrary. 

1. If T{w)'^[i,j] = 'Y, then A'(a{w)[i,j])<2A'{w), i.e., A(a{w)[i,j]) <2A'{w). 

2. If <T{w)'^[i,j] = UJ, then A{a{w)[i,j]) > - 1. 

Proof We denote w = Ai . . . A\ni\ and ai = T{Ai) for every Z G {1, . . . , jzcj}. 

We show (1). By Lemma 5(1), there are z = Zo,...,Z|u;| = j satisfying for 
every Z G {1, . . . , jzcj}, ai[ii-i,ii] = Y. Thus, every A[ii_i,ii] contains a tt; with 
<F(7T;) = Y and L\(7T;) < A'{w), i.e.. A' (a{w)[i,j]) < A{tti . . .7T|„|) < 2 • A'{w). 

We sketch (2). By contradiction, let 7T G a(ic)[z,j] with Z\(7 t) < —1. By 

various counting arguments, we show some 1 < g < r < jzcj and some Z such that 
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7T G a{Ax . . . Aq)[i, 1] ■ a{Aq+i . . . Ar)[l, 1] ■ a{Ar+\ . . . A\yj\)[l,j]. We can choose q 
and r such that a^+i ... Or is an idempotent. We can factorize tt = 7ri7r27T3 such 

that 7T2 G a{Aq+i . . . Ar)[l, 1]. By Z\(7 t) < — 1, we can choose q and r such 

that 'P{'JT 2 ) = Y, i.e., (a^+i . . . ar)[l, 1] = Y. Then, (og+i . . . ar)^l, 1] = Y, and we 
can conclude ^{w)'^[i,j] G {Y,Z}. 

In [6], we use Lemma 5(2) to show a corresponding proposition for the case 
'P{w)^i,j] = Z and we obtain the following corollary. 

Corollary 1. [6] Let w G I w\ > 3 be a smooth product and i,j he arbi- 
trary. Let z = j]. 

1. If z € {Y,Z}, then there is a path it G a{w)[i,j] satisfying = z and 
Z\(7t) < 4:A'{w). 

2. For every tt G a{w)[i,j] with F{tt) < z, we have A{tt) > — 1- 

Note that F{tt) < z in (2) is the ordering Y < /X\ < Z < . . . of 5. 

4.4 Stabilization of Word Matrices 

For matrices A G S„xn, we define A^ if F{A) G Reg(5„xn)- Let a = 'L{A). 

(A[i,j] if a[i,j] = a^i,j] 

A'^[i,j] = <1 w if a[i,j] yf a'^[i,j] = uj 

[{tt e A[i,j]\<F{7r) = Z} if yf a'^[i,j] = Z. 

By Lemma 3, the cases in this definition are complete. Intuitively, the definition 
of A^ simply means to apply all the changes between a and a** to A. It seems 
that we have F{A'^) = aK However, one can construct counterexamples in which 
a[i,j] yf a^[i,j] = Z, but A[i,j] does not contain some word tt with F{tt) = Z. 
In this case, A^[i,j] = 0, i.e., F{A^) = oo ^ Z = af[i,j]. On the other hand, 
if a[i,j] yf a^[i,j] = Z and A is the result of a smooth product of 3 matrices, 
then there is by Corollary 1(1) some tt G with <F(7 t) = Z. 

Lemma 6. [6] Let w G S)l)xn ® smooth product with licl > 3. We have 
'F{a{w)^) = 

We define a relation to compare word matrices. Let K > 1 and X^Y G S. 
We write X <k Y if we can transform X into Y by removing words tt with 
A{tt) > K from X. More precisely, we write X Zk Y if we have: 

1. IfX = 0, thenZ = 0. 

2. If X ^ 0, then X D Z yf 0. 

3. X and Y “agree in their bounded words”, i.e., { tt G AT | A{tt) < iL } CM. 

If X contains some word, then we do not have X Zk 0, regardless of whether 
there are words tt G X with A{tt) < K. However, if X contains some word, but 
we have A{tt) > K for every tt G X, then we have X Zk 

We generalize Zk componentwise to matrices in S„xn- K is easy to show that 
Zk on S is stable w.r.t. U and •, i.e., Zk on S„xn is stable w.r.t. multiplication. 
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Lemma 7. Let K >1, and let w G S^xn ® smooth product with 
|w| > (5”^n(itT+2))^. We have a(w) Oi{w)K 

Proof. Denote w = A\ . . . A\.ui\, and let A = a(iv) and a = 'P(A). Let i,j be 
arbitrary. We consider the cases in the definition of AK 

If a[i,j] = a^[i,j], then A[i,j] = A^[i,j] and in particular A[i,j] <k A^[i,j\. 
Assume a[i,j\ yf of[i,j] = ut. Then, A^[i,j] = to. By Lemma 3, we have 
a[i,j] yf oo, i.e., A[i,j] ^ 0 which shows (1,2) in the definition of -<k- In order 
to verify (3), we have to show for every tt G X, A{tt) > K. This follows from 
Corollary 1(2) and the length assumption on w. 

We can deal with the case a[i,j] yf j] = Z in the same way. 

4.5 The Proof of Theorem 3 

We show a proposition which allows to transform words in S)()xri- We will use 
it to transform words in sequences {wk)k>i G T~^ to examine the if'-limit of the 
sequence {a{wk))k>i in order to show if'(T) C {L'{T))K 

Proposition 4. Let K > 2. Let T be some finite subset of S„xn- There is 
some xk > K such that for every w G T+ there is a B G S„xn satisfying 
T{B) G {T{T)Y, a(w) Z/c B, and A'{B) < xk- 

We should pay some attention to the conditions A{B) < xk and a{w) <k B. 
Let i,j be arbitrary. If a{w)[i,j] G {o;,0}, then a{w)[i,j] = B[i,j], 

If we have A{a{w)[i,j]) < K, then a{w)[i,j] A B[i,j] but a{w)[i,j] and 
B[i,j] agree in their bounded words (cf. 2, 3 in the definition of Zic)- 

If A{a{w)[i, j]) > xk, then a{w) :<k B and A(B) < xk imply B[i,j] = u>. 
However, if AT < A{a{w)[i, j]) < xk, then we do not know whether we have 
A{B[i,j]) < Xk or A{B[i,j]) = oj. We avoid this problem by applying Prop. 4 
just on words w for which either A{a{w)[i, j]) < K or xk < A{a{w)[i, j]). 

If we cut the assertion A'(B) < xk in Prop. 4, then we can prove it by setting 
B = a{w) and xk = K. In fact, the proof of Prop. 4 is essentially based on the 
idea to define B as a{w) with some adjustments in a way that these adjustments 
keep the properties T{B) G {L'{T)Y and a{w) <k B. 

If we assume in Prop. 4 that ic is a long smooth product, then we can prove 
it by setting B = a{w)^ and Xk = 4Z\'(T). By Lemma 6, we achieve 'T{B) = 
L'{a{w)^) = L'{a{w))^ which belongs to ('f'(T))* because L'{a{w)) G ('f'(T))*. 
We have a{w) Z/c B by Lemma 7, and we get A'{B) < 4Z\'(T) by Corollary 1(1). 
We establish the following lemma to prove Prop. 4. 

Lemma 8. Let K > 2 and x > 1 be arbitrary. Let I' A I Q {T(T))^ be two 

ideals of ('f'(T))® such that L\L' is a i-class of {L'(T))K 

There is some x' > 1 such that for every w = Ai . . . A\.^\ G Sj^xn satisfying 

Al. T{Ai),...,T{A\^\) G ('f'(T))#, 

A2. A'{w) < X, 

A3. For every 1 < / < |w| — 1, T{AiAi+i) G I, 
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there is some v = Bi . . . _B|„| G satisfying a{w) <k a(r;) and 

Cl. G MT))#, 

C2. A'{v) < x', 

C3. For every 1 < ? < |f | — 1, G I'. 

In particular, this assertion is true for x' = 2(5" n{K+2)Y'x. 

At first, note the similarity between the assumptions (Al, A2, A3) and the claims 
(Cl, C2, C3). This similarity enables us to apply Lemma 8 inductively on a chain 
of ideals 0 C . . . C /2 C C to prove Prop. 4. In the first step of the 

induction, we simply set x = A'{T) and / = {F{T))'^, and for every w G 
(Al, A2, A3) are obviously satisfied. In the last step of this induction, I' = 0, 
and thus, (C3) implies that v has the length 1, and v is the matrix B which we 
require to prove Prop. 4. See [6] for the details of the proof of Prop. 4. 

We are not interested in whether Ai,. . . , A|„| ,Bi,..., i?|„| belong to (T), we 
just assume resp. show that their images under F belong to {F{T))K 

Proof (Lemma 8). Let K, x, and w = A\ . . . G the lemma. 

We factorize w into words V\,V 2 , ■ ■ ■ ,Vm- If ^'(Ai) G then let v\ = Ai and 
proceed with A 2 . . . A|„,|. If 'f'(Ai) ^ then let v\ be the longest prefix of w 
satisfying F(v\) ^ I' and proceed with the remaining part of w. If |ui| > 1 for 
an 1 < / < TO, then 'F{vi) G I\I' , since 'F{vi) ^ /' by construction and F{vi) G I 
by (A3). We get an to > 1 and vi,. . . ,Vm G Sjjjxn such that 

1. Al . . . A|„| = vi ... Vm (concatenation of words) 

2. F(vi),...,F(vm) G ('f(T))* 

3. For every 1 < ? < to — 1, >F(a(viVi+i)) G I' . (by construction of vi) 

4. For every \ <l <m with |u;| > 1, we have F{a{yi)) G / \ /'. 

Let 1 < I < TO be arbitrary. 

Case 1: |ui| < 2(5" n(AT+2))2 

We set Bi = a{vi). Then, a{vi) Ak Bi and Bi satisfies (Cl). Moreover, 
A'(B;) < |w/| • A'{vi) < 2(5"^n(AT+2))^a; = x' , i.e., Bi satisfies (C2). 

Case 2: |ui| > 2(5" n(AT+2))2 

We denote vi as vi = Vi .. . V|„,|. We transform vi into a word u. If |'y;| is 
even, then we set u = a(ViV2)a(V3V4 ) . . . a(V|„,|_iV|„,|). Otherwise, u = 
a{ViV 2 )a{VsV 4 ) . . .a{V\y,\_ 2 V\vi\-\V\y,\). Clearly, a{vi) = a{u). 

We have |m| > (5"^n(A'+2))^. We denote the letters of m by u = Ci . . . [7|„|. 
Let 1 < fc < |m|. By (A3), F{Uk) G I. If 'P{Uk) G then F{a{u)) G I' and 
F{a{u)) = F{a{vi)) G /' which contradicts (4), above. Hence, F{Uk) G I\I'. 
Consequently, I\I' is a regular J-class of (F{T))^, and u is a smooth product. 
Hence, we can define Bi = a{u)^ = a{vi)K 

By Lemma 6, F{Bi) = <F{a{u)^) = F{a{u))K By 'F{a{u)) G {'F{T))\ we 
have F{a{u))'^ G {F{T))K To sum up, we have F{Bi) = 'F{a{u)Y G ('F(T))®. 
By Lemma 7, we have a{u) Ak «(«)**, i.e., a{vi) Ak Bi. 

Let i,j be arbitrary. If Bi[i,j] contains some word, then F{Bi)[i,j] G {Y, Z}. 
By Corollary 1(1), A'{Bi[i,j]) < 4A'(u) < 12A'{w) < 12x < x' (C2). 
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We show (C3). By (3) above, £ I' for every I £ m— 1}. 

In both case 1 and 2, we have <l '?'(«;) and <P(Bi+i) <r <^'(vi+i), i.e., 

<F(Bi)>^'(Bi+i) <j <F(vi)>i'(vi+i) £ r, i.e., ^{Bi)^{Bi+i) = ^BiBi+i) £ I'. 

In both case I and 2, we have seen a{vi) :<k ct{Bi) for every 1 < I < m. By 
the stability of :<k w.r.t. matrix multiplication it follows a{vS) :<k a{v). 

Proof (Theorem 3). We show {'T{T))'^ C T{T). We have tf'(T) C T{T), because 
for every A £ T, T{A) is the if'-limit of {A)k>i- Moreover, ^{T) is closed under 
multiplication (Lemma 1) and stabilization of idempotents (Prop. 1). 

We show T{T) C {T{T))K Let (tUfc)fc>i G T+ be some sequence such that 

0. {wk)k>i is convergent. Let a = T{a{wk))k>i- We have to show a £ {T{T))K 

By subsequence selection arguments, we can assume some bound K > I such 
that we have for every I > 1, z £ {Y,/K\,Z} and every i,j: 

1. If a[i,j] = oo, then a{wi)[i,j] = oo. 

2. If A{a{wk)[i,j],z)k>i is bounded, then A{a{wi)[i,j], z) < K. 

Let xk be provided by Prop. 4. There is a word w among {wk)k>i such that: 

3. If A{a{wk)[i, i], z)k>i tends to infinity, then A{a{w)[i, j], z)k>i > xk- 

By Prop. 4 on w we obtain some B £ S„xn- We have 'T{B) £ . In the rest 

of the proof, we show a = T{B) and a £ (<f'(T))t* follows. Let i,j be arbitrary. 

If a[i,j] = oo, then we have by a{w)[i,j] = oo due to (I) and a{w) Ak B 
(Prop. 4), B[i,j] = oo, i.e., !f(B[f,j]) = oo = a[i,j]. 

Assume a[i,j] = Z. Then, A{a{wk), A)k>i is bounded. By (2) above, there 
is a 7T G a{w)[i,j\ with 'T{'k) = Z and A{tt) < K. By a{w) <k B, tt £ B[i,j], 

1. e, T{B[i,j]) G {Y,/K\,Z}. By contradiction, assume T{B[i,j]) = Y. From all 

words TT £ B[i,j] with T(tt) = Y choose a word tt for which Z\(7r) is minimal. 
By a{w) Ak B, tt £ a{w)[i,j]. Because A{a{wk),y)k>i tends to infinity, we 
have by (3) above A{tt) > xk, and we can conclude A'{B) > xk, which is a 
contradiction. Hence, T{B[i,f\) Y. We can show 'T{B[i,j]) /K\ in the same 

way. To sum up, W{B[i,j]) = Z = a[i,j]. 

We deal with the cases a[i,j] G {Y,/X\,u;} in the same way [6]. 

Proof (Theorem 1). We combine Prop. 1 and Theorem 3. 



5 On the Star Height One Problem 

Let B be an alphabet. Every word w G S* is a rational expression of star 
height 0, i.e., sh(w) = 0. If r and s are rational expressions over S* , then rs 
and rUs are rational expressions of star height max{sh(r), sh(s)}, but r* is of star 
height sh(r) + 1. The star height of a language L is denoted by sh(L) and defined 
as the minimum of sh(r) over all rational expressions r such that L(r) = L. 

A language L is of star height 0 iff it is finite. Already for E = {a,b}, there 
are languages of arbitrary star height [1]. For example, ab*, ba*b*aa U a* and 
(a*b)* = £ U {a, b}*b are of star height 1, but (a*b*c)* is of star height 2. 
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The star height 1 problem is to decide whether a given recognizable language 
L is of star height one. It was raised in a more general way by L.C. Eggan 
in 1963 [2]. Because sh(T) = 0 is easily decidable, the star height 1 problem is 
equivalent to the question whether sh(T) < 1. In 1982, K. Hashiguchi showed 
that such an algorithm exists [4]. He showed in an involved proof that the lan- 
guage of an automaton A is of star height one iff L{A) = L{r) for a rational 
expression r of a certain size with sh(r) = 1. The “certain size” is a very large 
bound which depends on the number of states of A. 

Here, we give a new solution to the star height one problem by a reduction to 
the limitedness problem for dd-automata. This provides a much better, although 
still very large bound for the complexity. 



5.1 Normal Forms of Rational Expressions 

Let n G N. A rational expression r is in single string form if r is of the form 
r = aiAr*a 2 AT| . . . a„AT* where for every 1 < t < n, G A and Ki G A+ is 
finite. We call n the length of r. The length of a longest word in the sets Ki 
is called the degree of r and denoted by d{r). The empty word is a rational 
expression in string form of length and degree 0. A rational expression s is in 
string form ifs = siU---Usfe for a fc > 1 where each Si is a rational expression in 
single string form. The degree of s is the maximum of the degrees of si, . . . , Sfe. 

We can transform every rational expression r with sh(r) < 1 into an equiv- 
alent expression in string form by using the distributivity of concatenation over 
union and inserting 0*, e.g., we transform ab{ab}*a into a0*&{a6}*a0* [6]. 

For the rest of the paper, let L C E* he a language which is recognized 
by a deterministic automaton A = [Q, S, qi,F]. It is of crucial importance that 
(5 : (5 X A — >• Q is total! We extend <5 to <5 : P(<5) x A* — >• P(Q) as usual. 

Let n > 0. A sequence Pq, . . . ,Pn G Vne{Q) is called a single syntactic ex- 
pression from Pq to P„ of length n. Every finite set of single syntactic expression 
is called a syntactic expression. 

Let d> 1. For every P,Rg Vne{Q), let 

1. Sd{P) = {e}, and 

2. Sd{P,R) = {ae E\S{P,a) C R} {w e S+\S{R,w) C R, |w| <d}*. 

We define Sd{Po, ■ ■ ■ , Pn) = Sd{Po, Pi)Sd{Pi, P 2 ) ■ ■ ■ Sd{Pn-i, Pn) for every 
Pq, . . . ,P„ G Vne{Q)- For every syntactic expression T, let Sd{T) = Ut^rSdit). 

Let d> 1 and P,Rg Pne{Q) be arbitrary. We can easily show Sd{P, R, R) = 
Sd{P,R)Sd{R,R) C Sd{P,R). For every single syntactic expression t from P 
to R, and every w G Sd{t), we have 5{P,w) C R. 

Let d,n> 1. We denote by Qn{A) the union of all single syntactic expressions 
from {qi} to subsets of F of a length of at most n. For every w G Sd{Qn{A)), we 
have S{qi,w) G F. Because 5 is total, we have w G L, i.e., Sd{gn{A)) C L. 

Proposition 5. There are d,n>l with L = Sd{gn{A)) iff sh(L) < 1. 

Proof (sketch). ... . . . For given d,n> 1, we can easily construct a rational 

expression r with sh(r) < 1 such that L{r) = Sd{gn{A)) = L. 
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... <i= . . . We have L = L{r) for an expression r in string form. We consider 
the case that r = a\Kl . . . QnK*. Let d be the degree of r. Let Pq = {qi}, and 
for 1 < i < n, let Pi = S{Pi-i, aiK*). We have L{r) C Sd{Po, ■ ■ ■ , Pn)- By 
L{r) C L, the inclusion C F holds. Thus, Pq, ■ ■ ■ ,Pn belongs to gn(-4), and 
hence, L = L{r) C Sd{gn{-A)) Q L. 



5.2 A Reduction the Limitedness Problem for dd-Automata 

We show the decidability of the existence of d, n > 1 with L = Sd{gn{A)). By 
following a similar approach as K. Hashiguchi [ 3,4], we can construct for each 
given d G N a distance automaton Ad which is limited iff there is some n such 
that L = Sd{gn{A)). Conversely, we can construct for each n G N a desert 
automaton A'„ which is limited iff there is some d such that L = 

We construct a dd-automaton A' which is limited iff there are d, n > 1 with 
L = Sd{gn{-A))- In [6], we explain this construction for the language (a U 6*c)*. 
Let Q' = q\ \J (PneiQ) x 'PneiQ))- We define the transitions E', peages F'^, 
and water transitions F'^ as follows. Let a € E. 

1. For every P,Rg PneiQ), {{P, P), (P, P)) is a transition of A' iff F yf F 

and S{P, a) C R. This transition is both a water transition and a peage. 
Moreover, for every R G PneiQ), {d'l, iP,P)) is a transition of A' iff 
Siqi, a) C R. This transition is both a water transition and a peage. 

2. For every Pi,P2,R G PneiQ), iiPi,P), iP2,P)) is a transition of A' iff 
d(Fi, a) C F2. It is not a peage. It is a water transition iff P2 = R. 

This construction is closely related to our notion of syntactic expressions: let 
d > 1 and Fi, F2 G PneiQ) ^iHi Pi 7^ P^- Choose some arbitrary w G 5d(Fi, F2). 
We factorize w according to the definition of ^^(Fi, F2). There are some a £ E, 
k > 0, and wi, . . . ,Wk G E~^ such that w = aw\ . . .Wk- Moreover, we can assume 
d(Fi, a) C P2 and for every 1 < i < A:, d(F2, Wi) C F2 and jruij < d. The automa- 
ton A' can read a from (Fi, Fi) to (F2, F2). The transition ((Fi, Fi), a, (F2, P2)) 
is both a peage and a water transition. For every 1 < i < k, A' can read Wi in 
a loop at (F2,F2) by visiting only states in PneiQ) x {F2}. The last transition 
is a water transition. In this way, Al can read w = awi . . .Wk from (Fi, Pi) to 
(d^2, P2) along some path tt such that tt contains exactly one peage and tt does 
not contain d consecutive non- water transitions. 

Now, let F3 G PneiQ) willi P2 7^ P3, and choose some w' G SdiPi, P2, Ps)- 
By following the same idea. A' can read w' from (Fi, Fi) to (F3, F3) along some 
path 7t' such that tt' contains exactly two peages and tt' does not contain d 
consecutive non-water transitions. 

We complete the definition of A' by defining the set of accepting states as 
F' = {(F, F) I F G PneiP)}- If £ G L, then q'j is also an accepting state. We 
denote the mapping of A' by Z\. 

Let Pi, Ri, P2, R2 G PneiQ)- II there is a path from (Fi,Fi) to (F2,F2) 
in A' with some label w, then SiPi,w) C F2. For every w G L(A'), we have 
Siqi,w) G F, and thus, w £ L. 
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Let w = ai . . . a|u,| G L. There is a successful path in A' with the label w 
from gj along the states ({S(qj, ai . . . Ui)}, {S(qi, ai . . . Ui)}) for 1 < t < |tc|. 
Hence, w G L(A'). To sum up, L(A') = L. 

Proposition 6. Let d, n > 1 and w G S'(j(en(-4)). There is a successful path tt 
in A' with the label w and L\(7t) < d + n. In particular, tt contains at most n 
peages and at most d — 1 consecutive non-water transitions. 

Proof (sketch). Let 1 < fc < n and Po,...,Pk G VneiQ), Po = {qi}, Pk Q F 
such that w G Sd{Po, ■ ■ ■ , Pk)- We can assume that for 2 < i < A:, Pi-i ^ Pi. For 
1 < i < A:, let iCi G Sd{Pi-i, Pi) such that w = w\ . . . Wk. 

Let 2 < i < k. There are an ai G S, some ki > 0, and • . • , such that 
= a^Wi^l . . .Wi^ki, S{Pi-i,ai) C Pi, and for every 1 < j < ki, 6{Pi,Wij) C Pi 
and \wij\ < d. There is a transition ((Pi_i, Pi_i), Oi, {Pi, Pi)) in A'. It is both a 
water transition and a peage. For every 1 < j < ki, there is a path iTij in AI from 
{Pi, Pi) to {Pi, Pi) with the label Wij. These paths iTij visit only states of the 
form {R, Pi) for some R G Pne{Q)- Hence, these paths do not contain any peage, 
and the last transition of each Wij is a water transition. It is possible that {Pi, Pi) 
occurs inside the paths iTij. Hence, it is possible that some path TTij contains 
more than one water transition. Let tt^ = ((Pi_i, Pi-i), Qi, {Pi, Pi)) -Ki,\ . . . TTi^k,- 
The label of tt* is aiWi^i . . . Wi^k, = Wi. 

Similarly, we construct a path tti which starts in q), ends in (Pi, Pi), and is 
labeled with w\. We prove the proposition by setting tt = tti . . . tt^,. 

Proposition 7. Let w G L{A'). We have w G S'zi(u)) (l?zi(u))(-4)) . 

Proof (sketch). Let tt be a successful path in A' with the label w and A{tt) = 
A{w). Let k < A{w) be the number of peages in tt. We split tt into tt = tti . . . 
such that every path tti, . . . , tts, starts with a peage. 

Let Po = {qi}. For every 1 < i < A:, the path m ends in a state of the form 
{Pi, Pi) for some Pi G T’ne{Q), tti, . . . , tt^ start with a peage and iTk ends in an 
accepting state. We have Pk Q F. For every 1 < i < A:, one can show that the 
label of 7Tj belongs to SA(w){Pi-i, Pi)- Thus, w G Sa(w){Po, - - - ,Pk)- Because 
Po, . . . ,Pfc belongs to gA(w){-^), we have w G Sa{w){0a(w){-^))- 

By L = L{A') and Prop. 5, 6, 7 we obtain the following corollary: 

Corollary 2. We have sh(L) <1 iff A' is limited. 

Proof (Theorem 2). If L is finite, then sh(P) = 0. If P is infinite, then we 
construct A'. By Corollary 2, it suffices to decide whether A' is limited. A total 
deterministic automaton for L has at most 2" states. Hence, A! has at most 

n iP(n) 

4^+1 state. By Theorem 1, we can decide in time complexity 2? whether 
A! is limited. 
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6 Next Research Steps and Open Problems 

In a forthcoming paper [7] , we generalize the ideas of the present paper to achieve 
a new algorithm for the star height n problem. 

It is an open question whether the limitedness problem for distance desert 
automata is in PSPACE. We do not even know whether the limitedness problem 
for desert automata is in PSPACE. Another open question is whether there is 
an algorithm for the star height 1 problem with a better complexity. 
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Abstract. We introduce adhesive categories, which are categories 
with structure ensuring that pushouts along monomorphisms are well- 
behaved. Many types of graphical structures used in computer science 
are shown to be examples of adhesive categories. Double-pushout graph 
rewriting generalises well to rewriting on arbitrary adhesive categories. 



Introduction 

Recently there has been renewed interest in reasoning using graphical methods, 
particularly within the fields of mobility and distributed computing [19] as well 
as applications of semantic techniques in molecular biology [6,4]. Research has 
also progressed on specific graphical models of computation [18]. As the num- 
ber of various models grows, it is important to understand the basic underlying 
principles of computation on graphical structures. Indeed, a solid understanding 
of the foundations of a general class of models (provided by adhesive categories, 
introduced in this paper), together with a collection of general semantic tech- 
niques (for example [21]) will provide practitioners and theoreticians alike with 
a toolbox of standard techniques with which to construct the models, define the 
semantics and derive proof- methods for reasoning about these. 

Category theory provides uniform proofs and constructions across a wide 
range of models. The usual approach is to find a natural class of categories 
with the right structure to support the range of constructions particular to the 
application area. A well-known example is the class of cartesian-closed categories, 
which provides models for simply typed lambda calculi [17]. 

In this paper we shall demonstrate that adhesive categories have structure 
which allows a development of a rich general theory of double-pushout (d-p) 
rewriting [13]. D-p graph rewriting has been widely studied and the field can be 
considered relatively mature [20,8,12]. 

In D-p rewriting, a rewrite rule is given as a span L •<— A — >■ i?. Roughly, 
the intuition is that L forms the left-hand side of the rewrite rule, R forms 
the right-hand side and K, common to both L and R, is the sub-structure to 
be unchanged as the rule is applied. To apply the rule to a structure C, one 
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first needs to find a match L — >■ C of L within C. The rule is then applied by 
constructing the missing parts {E, D and arrows) of the following diagram 

L^K^R 

'L “I" '1' 

C^E^D 

in a way which ensures that the two squares are pushout diagrams. Once such a 
diagram is constructed we may deduce that C \> D, that is, C rewrites to D. 

D-p rewriting is formulated in categorical terms and is therefore portable to 
structures other than directed graphs. There have been several attempts [11,9] 
to isolate classes of categories in which one can perform d-p rewriting and in 
which one can develop the rewriting theory to a satisfactory level. In particular, 
several axioms were put forward in [11] in order to prove a local Church-Rosser 
theorem for such general rewrite systems. Additional axioms were needed to 
prove a general version of the so-called concurrency theorem [14]. 

An important general construction which appears in much of the literature on 
graphical structures in computer science is the pushout construction. Sometimes 
referred to as generalised union [9] , it can often be thought of as the construction 
of a larger structure from two smaller structures by gluing them together along 
a shared substructure. 

One can think of adhesive categories as categories in which pushouts along 
monomorphisms are “well-behaved” , where the paradigm for behaviour is given 
by the category of sets. An example of the good behaviour of these pushouts is 
that they are stable under pullback (the dual notion to pushout, which intuitively 
can often be thought of as a “generalised intersection” ) . The idea is analogous to 
that of extensive categories [3] , which have well-behaved coproducts in a similar 
sense. Since coproducts can be obtained with pushouts and an initial object, and 
an initial object is “well-behaved” if it is strict, one might expect that adhesive 
categories with a strict initial object would be extensive, and this indeed turns 
out to be the case. 

Various notions of graphical structures used in computer science form ad- 
hesive categories. This includes ordinary directed graphs, typed graphs [1] and 
hypergraphs [11], amongst others. The structure of adhesive category allows us 
to derive useful properties. For instance, the union of two subobjects is calcu- 
lated as the pushout over their intersection, which corresponds well with the 
intuition of pushout as generalised union. 

We shall consider adhesive grammars which are d-p rewrite systems on ad- 
hesive categories. We show that the resulting rewriting theory is satisfactory by 
proving the local Church-Rosser theorem and the concurrency theorem without 
the need for extra axioms. We shall also examine how adhesive categories fit 
within the previously conceived general frameworks for rewriting [11,9]. Many 
of the axioms put forward in [11] follow elegantly as lemmas from the axioms of 
adhesive categories. 

Adhesive categories, therefore, provide a satisfactory model in which to de- 
fine a theory of rewriting on “graph- like” structures. They are mathematically 
elegant and arguably less ad-hoc than previous approaches. We firmly believe 
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that they will prove useful in the development of further theory in the area of 
semantics of graph-based computation, and in particular, in the development of 
a contextual theory of graph rewriting. 

Structure of the paper. In §1 we recall the definition of extensive categories. The 
notion of van Kampen (VK) square is given in §2. VK squares are central in the 
definition of adhesive categories which are introduced in §3. In §4 we state and 
prove some basic lemmas which hold in any adhesive category. We also show 
that the subobjects of an object in an adhesive category form a distributive 
lattice, with the union of two subobjects constructed as the pushout over their 
intersection. We develop double-pushout rewriting theory in adhesive categories 
in §5 and offer a comparison with High-Level Replacement Categories in §6. We 
conclude in §7 with directions for future research. 

Many of the proofs have been omitted. The interested reader may wish to 
consult the full version [15]. 

1 Extensive Categories 

Throughout the paper we assume that the reader is familiar with basic con- 
cepts of category theory. In this section we recall briefly the notion of extensive 
category [3]. 

Definition 1 A category C is said to be extensive when 

(i) it has finite coproducts 

(ii) it has pullbacks along coproduct injections 

(iii) given a diagram where the bottom row is a coproduct diagram 

X^Z^Y 

i i* 

A—^A+B^B 

I j 

the two squares are pullbacks if and only if the top row is a coproduct. 

The third axiom states what we mean when we say that the coproduct A + B 
is “well-behaved”: it includes the fact that coproducts are stable under pullback, 
and it implies that coproducts are disjoint (the pullback of the coproduct injec- 
tions is initial) and that initial objects are strict (any arrow to an initial object 
must be an isomorphism) . It also implies a cancellativity property of coproducts: 
given an isomorphism A + B = A + C compatible with the injections, one can 
construct an isomorphism B = C. For an object Z of an extensive category, the 
lattice Sub(Z) of coproduct summands of Z is a Boolean algebra. 

2 Van Kampen Squares 

The definition of adhesive category is stated in terms of something called a 
van Kampen square, which can be thought of as a “well-behaved pushout”, in 
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a similar way to which coproducts can be thought of as “well-behaved” in an 
extensive category; essentially this means that they behave as they do in the 
category of sets. 

The name van Kampen derives from the relationship between these squares 
and the van Kampen theorem in topology, in its “coverings version” , as presented 
for example in [2]. This relationship is described in detail in [16]. 

Definition 2 (van Kampen square) A van Kampen (VK) square (i) is a 
pushout which satisfies the following condition: given a commutative cube (ii) 
of which (i) forms the bottom face and the back faces are pullbacks, 





(ii) 



the front faces are pullbacks if and only if the top face is a pushout. Another 
way of stating the “only if” condition is that such a pushout is required to be 
stable under pullback. 

Another, equivalent, way of defining a VK square in a category with pullbacks 
is as follows. A VK square is a pushout which satisfies the property that given 
a commutative diagram (Hi), the two squares are pullbacks if and only if there 
exists an object C" and morphisms 



A' ^ O' ^ B' 

“[ V 

A—^D^r—B 



/ t / 

A' ^ — C — ^ 

4 



A' B' 

« D' " 



(A) 



(v) 



so that the squares in (iv) are pullbacks and (v) is a pushout. 

By a pushout along a monomorphism we mean a pushout, as in Diagram (i) 
above, in which m is a monomorphism. Similarly, if m is a coproduct injection, 
we have a pushout along a coproduct injection. 

A crucial class of examples of VK squares is provided by: 

Theorem 3. In an extensive category, pushouts along coproduct injections are 
VK squares. 

We have the following important properties of VK squares: 
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Lemma 4 In a VK square as in (i), ii m is & monomorphism then n is a 
monomorphism and the square is also a pullback. 



Proof. Suppose that the bottom face of the cube 




is VK. Then the top and bottom squares are pushouts, while the back squares 
are pullbacks if m is a monomorphism. Thus the front faces will be pullbacks: 
the front right face being a pullback means that n is a monomorphism, and the 
front left face being a pullback means that the original square is a pullback. 



3 Adhesive Categories 

We shall now proceed to define the notion of adhesive category, and provide 
various examples and counterexamples. 

Definition 5 (Adhesive category) A category C is said to be adhesive if 

(i) C has pushouts along monomorphisms; 

(ii) C has pullbacks; 

(iii) pushouts along monomorphisms are VK-squares. 

Just as the third axiom of extensive categories (Definition 1) ensures that 
coproducts are “well-behaved” , it is the third axiom of adhesive categories which 
ensures that pushouts along monomorphisms are “well-behaved” . This includes 
the fact that such pushouts are stable under pullback. 

Since every monomorphism in Set is a coproduct injection, and Set is ex- 
tensive, we immediately have: 

Example 6 Set is adhesive. 

Observe that the restriction to pushouts along monomorphisms is necessary: 
there are pushouts in Set which are not VK squares. Consider the 2 element 
abelian group Z 2 (the following argument works for any non-trivial group). In 
the diagram 



Z2 




] 




1 
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both the bottom and the top faces are easily verified to be pushouts and the 
rear faces are both pullbacks. However, the front two faces are not pullbacks. 

Even with the restriction to pushouts along a monomorphism, many well- 
known categories fail to be adhesive. 

Counterexample 7 The categories Pos, Top, Gpd and Cat are not adhesive. 

Since the definition of adhesive category only uses pullbacks, pushouts, and 
relationships between these, we have the following constructions involving adhe- 
sive categories: 

Proposition 8 

(i) If C and D are adhesive categories then so is C x D; 

(ii) If C is adhesive then so are C/C and C/C for any object C of C; 

(iii) If C is adhesive then so is any functor category [X, C]. 

Since Set is adhesive, part (iii) of the proposition implies that any presheaf 
topos [X, Set] is adhesive. In particular, the category Graph of directed graphs 
is adhesive. Indeed, if C is adhesive, then so is the category Graph{C) = [• 

•, C] of internal graphs in C. 

Part (ii) implies that categories of typed graphs [1], coloured (or labelled) 
graphs [5] and hypergraphs [11], considered in the literature on graph grammars, 
are adhesive. 

As a consequence, all proof techniques and constructions in adhesive cate- 
gories can be readily applied to any of the aforementioned categories of graphs. 
In fact, more generally, we have: 

Proposition 9 Any elementary topos is adhesive. 

This is somewhat harder to prove than the result for presheaf toposes; the proof 
can be found in [16]. 

Part (ii) of Proposition 8 also allows us to construct examples of adhesive 
categories which are not toposes. 

Example 10 The category Set* = 1/Set of pointed sets (or equivalently, sets 
and partial functions) is adhesive, but is not extensive, and therefore, is not a 
topos. 

4 Basic Properties of Adhesive Categories 

Here we provide several simple lemmas which hold in any adhesive category. 
Lemma 11 demonstrates why adhesive categories can be considered as a gener- 
alisation of extensive categories. Lemmas 12, 13, 15 and 16 shed some light on 
pushouts in adhesive categories. 

Lemma 11 An adhesive category is extensive if and only if it has a strict initial 
object. 
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Proof. In an extensive category the initial object is strict [3, Proposition 2.8]. 
On the other hand, in an adhesive category with strict initial object, any arrow 
with domain 0 is mono. Consider the cube 




in which the bottom square is a pushout along a monomorphism, while the back 
squares are pullbacks since the initial object is strict. By adhesiveness, front 
squares are pullbacks if and only if the top squares is a pushout; but this says 
that the front squares are pullbacks if and only if the top row of these squares 
is a coproduct (Z=X+Y). 

The conclusions of the following two lemmas are used extensively in literature 
on algebraic graph rewriting. Indeed, they are usually assumed as axioms (see 
[9] and §6 below) in attempts at generalising graph rewriting. They hold in any 
adhesive category by Lemma 4: 

Lemma 12 Monomorphisms are stable under pushout. 



Lemma 13 Pushouts along monomorphisms are also pullbacks. 

The notion of pushout complement [13] is vital in algebraic approaches to 
graph rewriting. 

Definition 14 Let m : C ^ A and g : A ^ B he arrows in an arbitrary 
category (m is not assumed to be mono) . A pushout complement of the pair (m,g) 
consists of arrows f : C ^ B and n : B ^ D for which the resulting square 
commutes and is a pushout. We shall sometimes refer to pushout complements 
of monos, this refers to pushout complements of pairs (m, g) where m is mono. 

The conclusion of the following lemma is a crucial ingredient in many appli- 
cations of graph rewriting. It has also been assumed as an axiom [11] in order 
to prove the concurrency theorem (cf. Theorem 27). It is important mainly be- 
cause it assures that once an occurrence of a left hand side of a rewrite rule is 
found within a structure, then the application of the rewrite rule results in a 
structure which is unique up to isomorphism (cf. §5). In other words, rewrite 
rule application is functional up to isomorphism. 

Lemma 15 Pushout complements of monos (if they exist) are unique up to 
isomorphism. 




280 



S. Lack and P. Sobocinski 



Proof. Suppose that the following diagrams 



m C f m C f 

A BA B' 
« D " » D «' 



are pushouts and that m is mono. Consider the cube 




in which the front right face is a pullback, h : C ^ U is the map induced by 
/ and /', and the unnamed arrows are identities. Then the front faces and the 
back left face are pullbacks, hence the back right face is also a pullback; and 
the bottom face is a pushout, hence the top face is a pushout. But this implies 
that k is invertible, since it is the pushout of Ic. By symmetry, so too is 1. The 
induced isomorphism j = kl~^ : B ^ B' satisfies n'j = n and jf = /'. 

The final lemma of this section will be used in Section 6 to show that adhesive 
categories are high-level replacement categories: 

Lemma 16 Consider a diagram 



A- 

C 



■By^E 
Dhd- F 



in which the marked morphisms are mono, the exterior is a pushout and the 
right square is a pullback. Then the left square is a pushout, and so all squares 
are both pullbacks and pushouts. 

Proof. This amounts to stability of the exterior pushout under pullback along 
w : D ^ F. 



4.1 Algebra of Subobjects 

We can put a preorder on monomorphisms into an object Z of an arbitrary 
category by defining a monomorphism a : A — >■ Z to be less than or equal to 
a monomorphism b : B ^ Z precisely when there exists an arrow c : A ^ B 
such that be = a. A subobject (of Z) is an equivalence class with respect to 
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the equivalence generated by this preorder. For example, subobjects in Set are 
subsets while subobjects in Graph are subgraphs. 

Here we shall demonstrate that, in adhesive categories, unions of two sub- 
objects can be constructed by pushout over their intersection. This provides 
further evidence of how pushouts behave in adhesive categories as well as mak- 
ing more precise the intuition that the pushout operation “glues together” two 
structures along a common substructure. As a corollary, it follows that in an 
adhesive category the lattices of subobjects are distributive. 

Let C be an adhesive category, and Z a fixed object of C. We write Sub(Z) 
for the category of subobjects of Z in C; it has products (=intersections), given 
by pullback in C. It has a top object, given by Z itself. If C has a strict initial 
object 0, then the unique map 0 — >■ Z is a monomorphism, and is the bottom 
object of Sub(Z). 

Theorem 17. For an object Z of an adhesive category C, the category Sub(Z ) 
of subobjects of Z has binary coproducts: the coproduct of two subobjects is the 
pushout in C of their intersection. 

Since pushouts are stable it follows that intersections distribute over unions: 



Corollary 18 The lattice Sub(Z) is distributive. 

5 Double-Pushout Rewriting 

Here we shall recall the basic notions of double-pushout rewriting [13,20] and 
show that it can be defined within an arbitrary adhesive category. 

Henceforth we shall assume that C is an adhesive category. 

Definition 19 (Production) A production p is a span 

K ^ R (1) 

in C. We shall say that p is left-linear when I is mono, and linear when both I 
and r are mono. We shall let V denote an arbitrary set of productions and let p 
range over V. 

In order to develop an intuition of why a production is defined as a span, 
we shall restrict our attention to linear production rules. One may then consider 
K as a substructure of both L and R. We think of L and R as respectively the 
left-hand side and the right-hand side of the rewrite rule p. In order to perform 
the rewrite, we need to match L as a substructure of a redex C. The structure 
AT, thought of as a substructure of L, is exactly the part of L which is to remain 
invariant as we apply the rule to C. 

Thus, an application of a rewrite rule consists of three steps. First we must 
match L as a substructure of the redex C; secondly, we delete all of parts of the 
redex matched by L which are not included in K. Thirdly, we add all of R which 
is not contained in K, thereby producing a new structure D. The deletion and 
addition of structure is handled, respectively, by finding a pushout complement 
and constructing a pushout. 
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Definition 20 (Gluing Conditions) Given a production p as in (1), a match 
in C is a morphism / : L — >■ (7. A match / satisfies the gluing conditions with 
respect to p precisely when there exists an object E and morphisms g : K ^ E 
and V : E ^ C such that 



L^K 

fi 

C^E 

is a pushout diagram. (In other words, there exists a pushout complement of 
(/, /) in the sense of Definition 14.) 



Definition 21 (Derivation) Given an object C G C and a set of productions 

V, we write C l>p,/ D for a production p G V and a morphism / : L — >■ G if 

(a) / satisfies the gluing conditions with respect to I, and (b) there is a diagram 

Li^K-^R 

fi 4 
c^e^d 

in which both squares are pushouts. 

The object E in the above diagram can be thought of as a temporary state in 
the middle of the rewrite process. Returning briefly to our informal description, 
it is the structure obtained from C by deleting all the parts of L not contained in 
K. Recall from Lemma 15 that if I is mono (that is, if p is left-linear) then E is 

unique up to isomorphism. Indeed, if p is a left-linear production, C l>p,/ D 

and C D' then we must have D = D' . This is a consequence of Lemma 15 

and the fact that pushouts are unique up to isomorphism. 

Definition 22 (Adhesive Grammar) An adhesive grammar G is a pair 
(C, P) where C is an adhesive category and P is a set of linear productions. 

Assuming that all the productions are linear allows us to derive a rich rewrit- 
ing theory on adhesive categories. Henceforward we assume that we are working 
over an adhesive grammar G. 

5.1 Local Ghurch-Rosser Theorem 

As shall be explained in section 6, adhesive categories with coproducts are high- 
level replacement categories. In particular, we get the local Ghurch-Rosser the- 
orem [14,9]. 

Before presenting this theorem we need to recall briefly the notions of parallel- 
independent derivation and sequential-independent derivation. The reader may 
wish to consult [5] for a more complete presentation. 

A parallel-independent derivation is a pair of derivations 






and 



C >p2,hD2 
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as illustrated in diagram (5.1) which satisfy an additional requirement, namely 
the existence of morphisms r : L\ ^ E 2 and s : L 2 — >■ ifi which render the 
diagram commutative, in the sense that V 2 r = fi and uis = / 2 - 




Similarly, a sequential-independent derivation, illustrated in diagram (5.1), is 
a derivation 



^ ^PlJl -^1 ^P2,/2 ^ 

where there additionally exist arrows r' : i?i — >■ and s' : L2 ^ Ei such that 

icis' = /2 and v^r' = hi. 




The statement of the theorem below differs from those previously published 
in the literature in that we do not need coproducts to establish the equivalence 
of the first 3 items. 

Theorem 23 (Local Church- Rosser). The following are equivalent 

1. C Di and C l>p2./2 ^2 are parallel-independent derivations 

2. C l>pi,/i h)\ and D\ l>p2,/2 ^ sequential-independent derivations 

3. C 1 >p 2,/2 ^2 and D2 ^pij{ D are sequential-independent derivations. 

If moreover C is extensive then we may add the so-called parallelism theorem 

4. C ^pi-ep2,lfij2] D is a derivation. 

In fact, the proof that (1)=>(2) remains valid more generally in the context 
of left-linear productions, but the proof of the converse requires linearity. 

5.2 Concurrency Theorem 

The original concurrency theorems were proved for graph grammars [7] and later 
generalised to high-level replacement categories (cf. §6) in [11] which satisfy addi- 
tional axiom sets, there called HLR2 and HLR2*. Roughly, the concurrency the- 
orem states that given two derivations in a sequence, together with information 
about how they are related, one may construct a single derivation which inter- 
nalises the two original derivations and performs them “concurrently”. Moreover, 
one may reverse this process and deconstruct a concurrent derivation into two 





284 



S. Lack and P. Sobocinski 



related sequential derivations. Here we state and prove the concurrency theorem 
for adhesive grammars without the need for extra axioms. 

We shall first need to recall the notions of dependency relation, dependent 
derivation and concurrent production. 

Definition 24 (Dependency Relation) Suppose that p\ and p2 are linear 
productions. A dependency relation for {pi,P2) is an object X together with 
arrows s : A — >■ and t : X ^ L2 for which ri, s, t, and I2 can be incorporated 

into a diagram 

A 

s y \ t 



4'U 




L2^K2 




( 4 ) 



in which all three regions are pushouts. 

Definition 25 (Dependent Derivation) Consider a derivation C l>pi,/i 

Di 1>p2,/2 ^ illustrated in (i) below 



■hi 



^2 

K 2 A 


Ri 










E'l- 


— ; — 




D 


ei ; 








El - 


— ^E>1 



and a dependency relation X for (j>i,P2)- The derivation is said to be X- 
dependent if ft-is = f2t and there exist morphisms ci : — >■ E\ and 62 ■ E'2 ^ E2 

satisfying eig[ = gi and 62^2 = 92, and if moreover the unique map d : D' ^ Di 
satisfying dh[ = hi and d/2 = /2 also satisfies dw[ = wiei and dv'2 = ^262 (see 
(ii)). 

Definition 26 (Concurrent Production) Given a dependency relation X 
for (pi,P2), the X -concurrent production pi;xP2 is the span 



X 

S y \ ! 



/I'i t i.5'1 ^ t 




in which f and | are pushouts and U is a pullback. 
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Theorem 27 (Concurrency Theorem). 

1. Given an X-dependent derivation C D\ l>p 2./2 ^ there exists 

an X -concurrent derivation C l>pi;xp 2 ^ 

2. Given an X -concurrent derivation C ^pi;xP 2 there exists an X- 

dependent derivation C l>pi,/i Di I>p 2,/2 



6 Relation with High-Level Replacement Categories 

High-level replacement categories [9,10,11] or HLR-categories encompass several 
attempts to isolate general categorical axioms which lead to categories in which 
one can define double-pushout graph rewriting and prove useful theorems such 
as the local Church- Rosser theorem and the concurrency theorem. 

HLR-categories usually have axioms which are parametrised over an arbi- 
trary class of morphisms M. Here we give a simplified version of the definition 
which appears in [9]. The simplification is that we take At to be the class of 
monomorphisms: we justify this by noting that this is the case in the majority 
of examples. 

Definition 28 (HLR-categories) A category S is an HLR-category if it sat- 
isfies the following axioms: 

1. pairs C ^ A ^ B with at least one of the arrows mono have a pushout; 

2. pairs B ^ D C with both morphisms mono have pullbacks; 

3. monos are preserved by pushout; 

4. finite coproducts exist; 

5. pushouts of monos are pullbacks; 

6. pushout-pullback decomposition holds: that is, given a diagram 



A 



S>-4£ 



^ Iv 



if the marked morphisms are mono, the whole rectangle is a pushout and 
the right square is a pullback, then the left square is a pushout. 



Lemma 29 Any adhesive category with an initial object is an HLR-category. 
Proof. This follows immediately from Lemmas 12, 13, and 16. 

The axioms listed above are enough to prove the local Church- Rosser theorem 
(cf. Theorem 23), but not the concurrency theorem (cf. Theorem 27). To prove 
the latter, extra axioms had to be introduced in [11], such as the conclusion of 
the following lemma. Interestingly, it is almost the dual of the main axiom of 
adhesive categories. 




286 



S. Lack and P. Sobocinski 



Lemma 30 (Cube-pushout-pullback-lemma [11]) Given a cube in which 
all arrows in the top and bottom faces are mono, if the top face is a pullback 
and the front faces are pushouts, then the bottom face is a pullback if and only 
if the back faces are pushouts. 

Proof. Since the front faces are pushouts along monomorphisms, they are also 
pullbacks. 

If the bottom face is a pullback, then the back faces are pushouts by stabil- 
ity of the pushouts on the front faces. Suppose conversely that the back faces 
are pushouts; since they are pushouts along monomorphisms, they are also pull- 
backs. One now simply “rotates the cube”: since the front right and back left 
faces are pushouts, and the top and back right faces are pullbacks, it follows by 
adhesiveness that the bottom square is a pullback. 

An HLR-category which has the conclusion of Lemma 30 as an additional 
axiom is sometimes referred to as an HLR2-category [1 1] . It is immediate, there- 
fore, that any adhesive category with an initial object is an HLR2-category. 

The strongest axiom system for general rewriting is enjoyed by the so-called 
HLR2*-categories [11]. These are HLR2-categories which, additionally, have the 
conclusion of Lemma 15 as an axiom, that is, pushout complements of monos are, 
if they exist, unique up to isomorphism. Finally, they satisfy an axiom known as 
the twisted-triple-pushout-condition. We believe that this axiom does not hold 
in an arbitrary adhesive category, although it does hold, for instance, in any 
topos. Indeed, it is possible to extend the definition of adhesive categories in a 
natural way so that the twisted-triple-pushout-condition holds [16]. 

7 Conclusions and Future Work 

We introduced the notions of van Kampen (VK) square and adhesive cate- 
gory. VK squares are “well-behaved pushouts” , and a category is adhesive when 
pushouts along monos are VK. Adhesive categories are closely related to exten- 
sive categories. 

Double-pushout (d-p) rewriting can be defined in an arbitrary adhesive cat- 
egory. We introduced adhesive grammars, which are adhesive categories with a 
set of linear productions. Adhesive grammars have sufficient structure for the de- 
velopment of a rich rewriting theory. In particular, we proved the local Church- 
Rosser and the so-called concurrency theorem within the setting of adhesive 
grammars. We have also shown that adhesive categories satisfy many of the ax- 
ioms [9,11] which were proposed in order to prove these theorems. Thus, we have 
arrived at a class of categories which supports such a theory of d-p rewriting, 
however, we believe that adhesive categories are mathematically elegant and less 
ad-hoc than previous proposals. 

In order to back this claim and to further develop the theory of adhesive 
categories, we have demonstrated a number of useful properties. For instance, 
subobject union is formed as a pushout over the intersection, and subobject 
intersection distributes over subobject union. We have provided some closure 
properties which allow the construction of new adhesive categories from old. Any 
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elementary topos is adhesive, but there are examples of adhesive categories which 
are not toposes. Adhesive categories include many well-known notions of graph 
structures used in computer science and are instances of HLR2-categories [11]. 

We believe that adhesive categories will be useful in the development of 
specific graphical models of computation and the development of semantic tech- 
niques for reasoning about such models. The rewriting theory needs to be de- 
veloped further, with, for example, the construction of canonical dependency 
relations from derivations [11]. A related task is to clarify the relationship of 
adhesive categories and the HLR2*-categories [11]. 

Another possible direction for future work is to examine whether adhesive 
categories have enough structure so that groupoidal relative pushouts [21] can 
be constructed in cospan bicategories over adhesive categories. Such cospan bi- 
categories provide a way of understanding graphs in a modular fashion and will 
provide a general class of models which should include bigraphs [18] as examples. 
A further question to be resolved is whether demanding the good behaviour of 
pushouts only along some class of monomorphisms will result in further inter- 
esting categories. 
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Abstract. We describe a game semantics for local names in a functional 
setting. It is based on a category of dialogue games acted upon by the 
automorphism group of the natural numbers; this allows properties of 
names such as freshness and locality to be characterized semantically. 
We describe a model of the nu-calculus in this category, and extend it 
with named references (without bad variables) using names as pointers 
to a store. After refining the semantics via a notion of garbage collection, 
we prove that the compact elements are definable as terms, and hence 
obtain a full abstraction result. 



1 Introduction 

Local names are a pervasive and subtle feature of programming languages and 
other calculi. Not only are they used for manipulating important constructs such 
as locally bound references and exceptions, name-passing is itself a very expres- 
sive computational paradigm, as demonstrated by the 7r-calculus, for example. 
Local names can also represent items of secret information which are dynami- 
cally generated, passed between agents and used to access further information or 
activity. They therefore have a key role in specifying properties of secure systems 
[1,24]. 

Game semantics has proved successful in characterizing several features with 
local names, as demonstrated by fully abstract models of functional languages 
with locally bound references [2,3,4], exceptions [11] and channels [12]. However, 
in one respect, these models do not accurately reflect the way these features are 
implemented; in the game semantics of references (for example), names are taken 
to represent storage cells, rather than pointers to storage cells. Symptomatic 
of the resulting divergence between operational and denotational semantics is 
the “bad variable” problem; the full abstraction results for these models are 
contingent upon the presence of objects of reference type which do not behave 
correctly as storage cells^. So the lack of a satisfactory approach to modelling 

* Supported by EU FET-GC ‘MyThS: Models and Types for Security in Mobile Dis- 
tributed Systems’ IST-2001-32617 

^ In [16], McCusker has shown that observational equivalence in Idealized Algol with 
(active expressions and) bad variables is conservative over observational equivalence 
in the same language without bad variables. This result highlights how different Ide- 
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names themselves is a significant limitation when interpreting languages without 
bad variables such as ML. It would appear to be an even more serious obstacle 
to giving realistic semantics of languages in which name-passing is fundamental, 
such as the 7r-calculus. In this paper we will describe a category of games in 
which local names may be interpreted independently of any imperative feature, 
and use this to construct a model of storage in a language without bad variables 
in which names are pointers to the store. 

In Section 2 we describe a language with local names based on the nu-calculus 
of Pitts and Stark [20,22]. The latter aims to capture the key features of names 
in a functional setting, in the absence of associated imperative features such as 
reference cells. Modelling it may thus be considered a first test for a semantics 
of local names; existing categories of games, for example, do not offer a natural 
interpretation of names in isolation in this way. We also extend the nu-calculus 
with assignment and dereferencing of names with names — i.e. names are used 
to refer to cells in which names may be stored. The resulting calculus has some of 
the name-passing capacities of the 7r-calculus in a sequential, functional setting. 
Again, this form of reference has not previously been modelled using standard 
games techniques. 

In Section 3, we describe the basis of our model, a category of (Hyland-Ong 
style) games and strategies, acted on by the automorphism group of natural 
numbers, from which we generate an equivalence corresponding to invariance 
under name substitution. Names are already represented in this way in Stark’s 
model of the nu-calculus in the category of continuous G-sets [22] . In the setting 
of game semantics, of which a key feature is the distinction between Player 
(representing a program) and Opponent (representing the environment), new 
issues become evident: which participant in a dialogue introduced a given name, 
and how can knowledge of it pass from one to the other? 

In Section 4 we use our category of games (and constructions for interpret- 
ing call-by- value function types developed by Honda and Yoshida [7]) to give a 
semantics for the nu-calculus. By adding an object corresponding to the store, 
and using names as pointers to it we are able to give a simple interpretation 
of the extension with references, Stark’s observation [22] that “dynamically cre- 
ated names really do capture the difficult part of ... references; actual value 
storage is not so hard” . We refine our model using a notion of “garbage collec- 
tion” which exploits the fact that we can make a distinction between globally 
accessible names (which have been revealed to the environment) and local names 
(which have not). 

In Section 5 we prove (using game semantics techniques such as decomposition 
and factorization) that all of the compact elements of our “garbage-collected” 
model are definable as terms, and that contextual equivalence can therefore be 
characterized semantically, and for finitary terms, decidably. This development is 
reminiscent of the observation of Jeffrey and Rathke [9], that allowing names to 

alized Algol is in this respect from call-by-value languages such as ML (for instance 
we can distinguish between Xx : var.x := 0; a; := 0 and Xx.x ~ 0 in the former, but 
not the latter). 




A Game Semantics of Local Names and Good Variables 



291 



leak to the environment through the store simplifies reasoning about contextual 
equivalence. 



2 \u\ — A Calculus of Names and References 

We will study names and named references via two functional languages with 
names, the nu-calculus [20,22], and an extension with locally named references to 
local names. The nu-calculus may be described as a simply-typed A-calculus with 
two ground types o (booleans) and v (names), extended with various constants: 
the truth values tt,ff : o, a conditional If : o — >■ T — >■ T — >■ T for each type T, 
an equality test on names eq : v ^ v ^ o and a new-name generator new : v. 
The Ai^!-calculus is the nu-calculus extended with constants for writing to and 
reading from names: assign \ v ^ v ^ o and deref \ v ^ u. We use the syntactic 
sugar vx.M for (Xx.M) new, M = N for (eqM) N, M := N for (assign M) N 
and !M for deref M. 



Table 1. Operational Semantics of Ai^! 



V,£fyV,£ new,(n,5)lj.n-|-l,(n-|-l,5) 

M,£f^\x.M',£' N,£'W,£” M'\V/xl£''W.^'” 

M N,£fyU,£"' 



M,£U,£' N,£'f^i,£" 

M=iv,£:i|tt,£:" 

M,g|ltt,g' 

If M^£f^\xy.x,£' 

M,£U,£' N,£%jXk,S) 
M:=N,£il,tt,{k,S[ii-^j]) 



N,£%j,£" , 

M=N,£i}S,£" * 

MMS,£' 

If M,£ij,Xxy.y,£' 

M,gl|i,(fc,5) _ , 



The operational semantics of Ai^! subsumes that of the nu-calculus. A pro- 
gram is a closed term of Xiy! extended with a countable set of names, which are 
distinguished variables i : v for each 1 < i < ix. We write fc h M if no name in 
M is greater than k. A program-in-environment M, £1 is a program M together 
with a pair consisting of a natural number k such that k h M , and a store S (a 
partial map from k to k). The “big step” evaluation rules for evaluating a pro- 
gram and an environment to a value (a A-abstraction, name or truth value) and 
an environment are shown in Table 1. Note that unlike the nu-calculus, failure 
to converge to a value is possible, i.e. if a reference is dereferenced before any 
value has been assigned to it. 

We adopt a standard definition of contextual equivalence: given terms M, N : 
T (of a given language £), M IV in £ if for all closing contexts C[X\ : o of C, 
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C[M] -IJ. tt if and only if C[N] 1| tt. (Where M 1| F if M, (0,_L) i\.V,£ for some 

3 Games with Names 

Our notion of game is based on the dialogue games of Hyland and Ong [8] (and 
Nickau [18]), to which we add structure for manipulating a countable set of 
names, in the form of an action of the automorphism group of the natural num- 
bers. This generates an equivalence on strategies corresponding to invariance 
under substitution of names^. We give brief (and slightly non-standard) defini- 
tions of arenas and legal sequences and refer the reader to the literature ([8,15, 
10,7] etcetera) for more detailed explanation. 

An (underlying) arena A is a tuple (M^, A^, h^) consisting of a set of 

moves Ma, a subset C Ma of initial moves, a question/ answer labelling 
Aa : Ma — >■ {Q,A}, and an enabling relation Ma x {Ma — M^) such 

that no answer is enabled by an answer. We require that the enabling relation 
partitions the set of moves according to the following rule: every initial move is 
an Opponent move, and every move enabled by an Opponent move is a Player 
move, and vice-versa. We describe an arena as A-rooted if all of its initial moves 
are answers. 

A justified sequence over the arena A is a sequence of moves of A together 
with a pointer from each non-initial move to an enabling move. The set La of 
legal sequences of A consists of the finite justified sequences which are well-opened 
(contain at most one initial move), alternating (Opponent moves are followed 
by Player moves and vice-versa), well-hracketed (every answer is justified by the 
last-asked open question) and satisfy the visibility condition (the Player and 
Opponent views [8,15] of every subsequence are justified sequences). 

Let G be the topological group of natural number automorphisms with the 
product topology on N^, for which a basis of neighborhoods of the identity is 
{stabc(fc) I k C-f™ N} [22]. By a continuous action of G upon a set A, we will 
mean a G-action which is continuous with respect to the discrete topology on 
A. So the stabiliser of any element a G A is open in G and thus equal to the 
stabiliser of a finite subset fc C N, the support of a. 

Definition 1. A v-arena is an arena A and a continuous action of G on Ma 
such that A^(7r(m)) = XA{m) and m\- n iff Tr{m) h 7r(n). 

The group action extends naturally to legal sequences. 

Lemma 1. If A is a v-arena, then there is a continuous action of G on La 
defined 7r(mim2 . . . m„) = 7r(mi)7r(m2) . . . 7t(to„) . 

^ A similar notion of equivalence is used in [5] , also to preserve parametricity in games 
with a countable set of labels. The key difference is that in the model of Az^! names can 
be passed between strategies, and so equivalence cannot be described componentwise 
as in [5]. 
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We write i^{s) for the support of s, and use it to define associated functions 
P^,0^, which identify the sets of new names introduced by Player (or by com- 
plementation, Opponent) in a legal sequence. 

Definition 2. The functions Pi,, Oy from legal sequences to P/i„(N) are defined: 
Py{e) = 0, 

Py{sa) = Py{s) U (ly(sa) — v{s)) if a is Player move, 

Py{sa) = Py{s) otherwise. 

Oy{s) = i^{s) - Py{s). 

We write ~ for the equivalence relation on legal sequences determined by the 
orbits of the group action — i.e. s ~ t if Btt G G.7t(s) = t. A strategy on a j/-arena 
is, in essence, the orbit of a deterministic strategy on the underlying arena. 

Definition 3. Let A he a v-arena. A u-strategy cr : A is a non-empty and even- 
prefix-closed set of even-length legal sequences of A subject to the following con- 
ditions: 

- If s € a and s ^ t then t € a. 

- If sa, tb € a and s ^ t, then sa ~ tb. 

3.1 A Call-by- Value Category of Games 

We will now construct a premonoidal category of games in which to model the 
call-by- value A-calculus aspect of Xv\. We follow essentially the constructions of 
Honda and Yoshida [7] or variants described by Laurent [13]. In each case the 
group action on compound arenas is defined pointwise. The key novelty thus lies 
in the definition of composition of strategies, since we must maintain distinctness 
of fresh names. 

Definition 4. Given v-arenas Ai,A 2 we define a (Q-rooted) v-arena Ai — >■ A 2 : 

~ Mai->-A2 = AIai + Ma2> 

- A^^_>A 2 (ini(m)) = Q, if i = 1 and m G 
AAi-s.A 2 (ini(m)) = AAi(m), otherwise, 

- ^Ai^A 2 = ini(MAi), 

- bAi^A 2 = [^Ai,bA 2 ] U (ini(M)^J X in 2 (M)^J) 

- 7r(ini(m)) = ini(7r(m)). 

So the initial moves in Ai — >■ A 2 are the initial moves from Ai relabelled as 
questions (to which the initial moves from A 2 are the answers). 

Composition of strategies a : A^ B and t : H — >• G is, as usual, by allowing 
interaction in B which is then hidden. However, further conditions are required 
to ensure that the new names introduced by cr are disjoint from those introduced 
by T, and from those introduced by Opponent in G (and vice-versa). 

Definition 5. The set of well-formed interaction sequences Ia,b,c is the set of 
legal sequences s G L(^a^b)^c which satisfy the follow conditions: 

- Py{s\A H) n Py{s\B G) = 0, 
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~ {P^{s\A ^ B)U P^{s\B C)) n 0^{s\A ^C) = 0. 

Given a : A ^ B,t : B ^ C, a\r = {s £ Ia,b,c \ -A B £ a A s\B -A C £ t} 
and o", T A — y C = {s £ La—^c \ ^ ^(^a-^b)^c ~ t\A — y G^. 

To establish that we may define a category based on this notion of composition, 
it is necessary prove that it yields a well-defined strategy (note that this would 
not be the case without the fresh name restrictions on interaction sequences) 
and is associative. 

Lemma 2. The composition of v -strategies is a well-defined v-strategy. 

Proof. We need to show that if s G cr; r and s ~ t, then t £ a;r and if sa, tb £ a;r 
and s ~ t then sa ~ tb. The first part is straightforward, since if s G <t|t and 
7r(sl'2l -A C) = t, then 7t(s) G cr|r and 7r(s)|'2l -a C = t. 

To establish the second property, we prove by induction on sequence length 
that if safib £ ajr and sfA->-C^tfA—>-C, then sa ^ tb and hence 
safA -A C ^ tb\A -A C. The proof uses the freshness assumptions on interaction 
sequences to show that when a introduces a new name in sfGl — >■ B then it is 
genuinely new in s (and similarly for r) and also that when Opponent introduces 
a new name in sfGl -A C then it is new in s. 

Lemma 3. Composition of v-strategies is associative. 

Proof. This follows the proof of associativity for ordinary strategies [10] — we 
show that given p : A ^ B,a : B ^ C,t : C ^ D, if s £ p; {a;r) then there 
exists t G La^b^c^d such that t\{A -a B) ^ C £ p\a,t\{B -A C) ^ D £ a\r 
and s = t\A,D and hence s £ {p;a);r. The complicating factor in the case of 
i^-strategies is that there may be names introduced in the hidden components B 
and C which violate the freshness assumptions for interaction sequences — we 
use the saturation of strategies with respect to ^ and the fact that every move 
has finite support to show that we can always make choices of fresh names which 
avoid this. 

Since any copycat strategy never introduces new names, it is straightforward to 
show that for each arena the standard notion of identity strategy is well-defined 
and has the required properties. 

Proposition 1. The A-rooted v-arenas form a category vQ in which morphisms 
from A to B are v-strategies on A ^ B. 

We now define premonoidal structure on vQ which is essentially the same as that 
described in [7], but with restrictions on the sharing of names. 

Definition 6. From A-rooted arenas Ai,A 2 , form an A-rooted arena A\ 0 A 2 : 

- Ma,qa, = {Ma, X MiJ U (Mi^ X Ma^) 

- XAiQAfi{mi,m2)) = \AAm 2 ), if mi £ 

A^i0A2((wi,m2 )) = Aai(toi), otherwise, 

- X 
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- ^AiQA2= U (Id® 1 -^ 2 ). 

- 7r((m,n)) = (7 t(to), 7r(n)), 

The unit I for 0 is the A-rooted arena with a single (initial) move. 

Given a legal sequence t € La^qa^i we obtain a legal sequence t\Ai & LAi 
by taking the zth projection from each move, and then erasing all initial moves 
except the first from the result. 

Proposition 2. is a symmetric premonoidal category. 

Proof. For each object A, we define endofunctors A 0 _ and A \ vQ ^ vQ\ 
given a ■. B^C, lei AQa: A(-)B^A(-)C = 

{s G Laqb^aqc I s\B -A C G O' A sfA -a A G id^i A Pn{^s\B -A C) = P,y(s)}. 

We now identify, via conditions on strategies, a subcategory of vQ for which the 
premonoidal product is cartesian. The first condition is totality, as used in [7]. 
Definition 7. A morphism f : A ^ B is total if g; f = 1- implies g = A ( where 
_L is the empty strategy). So 0 : A ^ B is total if it responds to the initial 
question in A with the initial answer in B. A sequence in which this occurs is 
said to be total. 

Our further condition on total strategies is essentially thread independence [4] up 
to plus conditions on the introduction and sharing of names across threads. 
Definition 8. The thread of a total sequence qasb G La^b is a legal sequence 
of A ^ B defined as follows: 
thread(( 7 as 6 ) = qab if b is justified by a, 
thread(< 7 as 6 ) = thread (gas) 6 otherwise. 

Definition 9. A total sequence qas G La^b is thread-independent with respect 
to names if: 

— Player does not introduce any new names with the move a — i.e Pv{qa) = 0. 

— Whenever Player introduces a name which is fresh in its thread, it is fresh in 
qas — i.e. ifqatb Qeven qas then (j^(thread(gat 6 ))— r^(thread(got)))riJ^(gat) = 

0. 

A total strategy a is thread-independent if each sequence in a is thread- 
independent with respect to names and whenever s,ta G cr and thread(s 6 ) ~ 
thread(t) then there exists sbc G a such that thread(s 6 c) ~ thread(ta). 

Lemma 4. The thread-independent strategies form a subcategory vQt of vQ 
upon which Q is a cartesian product. 

Proof. Compositionality of thread-independent strategies is straightforward. We 
also observe that _ © _ is a symmetric monoidal product on the total strategies, 
as in [7] (and / is a terminal object in this category). Further, we have copycat 
strategies yielding natural maps © GI 2 — f Ai and 6 : A ^ Aq A such 

that S\TTi = id^, 5aiqA2\t^i 0 ti '2 = idAi©A 2 and if / : A — >■ i? is total and 
thread-independent then 5a', {f & f) = f', Sb- 
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Thus we have a Freyd category [21]; a cartesian category i^Qt, a symmetric pre- 
monoidal category vQ, and an identity-on-objects strict symmetric premonoidal 
functor (inclusion) from i^Qt to vQ. Moreover, this is a closed Freyd category. 

Proposition 3. Inc{-) 0 A : vQt :— >■ has a right adjoint vQ ^ vQf 

Proof. Given a Q-rooted arena let f ^ be the A-rooted arena obtained by 
adding to i? a single initial answer (invariant under G action) which enables all 
of the initial moves of B. We define A ^ B =f {A ^ B). 

We have a one-to-one correspondence f between legal sequences on Aq B ^ C 
(which have the form (m, n)-s) and total sequences on A ^ (B ^ C) (which have 
the form man ■ s) . This gives rise to the required natural isomorphism between 
vQ{AqB, C) and vQt{A, B C)-. given a ■. Aq B ^ C ,let A{a) : A ^ B ^ C 
be the least set of legal sequences such that £, qa G A{a), and if s G A{a), sab is 
thread-independent with respect to names and i^(thread(sa6)) G a then sab G a. 

4 Semantics of Xu\ 

In [23], Stark describes a notion of categorical model for the nu-calculus. It is 
based on monadic models of the computational A-calculus, but transfers readily 
to the more direct description used here. (Note that nQ is equivalent to the 
Kleisli category of the strong monad TA = I ^ A on vQtf The categorical 
properties required in [23] to interpret the nu-calculus may be summarised as 
follows: 

— To interpret the call-by-value A-calculus, a sound model of Moggi’s compu- 
tational metalanguage. 

— To interpret the type o of booleans, a disjoint coproduct of the terminal 
object (of vQt) with itself — vQ in fact has all small coproducts, obtained 
by taking the disjoint sum of arenas [13], thus / -I- / is the arena with two 
distinct initial answer moves, invariant under G-action. 

— To interpret the type v of names, a distinguished decidable object N — in 

vQ this is the n-axena, with a set of initial answer-moves indexed over N, 
which are acted on according to their indices: Mjv = = {mi \ i G N}, 

\{mi) = A and n^mi) = m,r(i) for each i. The map eq : N Q N ^ I + I 
which completes the pullback square tAr;ini : N — >■ I-l-I = <j;eq and with 
which we interpret the equality test is the strategy {{mi, mi) • tt ] z G N} U 
{{m^,mj) - ff 1 z,j G NAz ^ j}. 

— To interpret the new-name declaration new : o, a distinguished map new : 
I ^ N. This is the total strategy which responds to the initial question with 
any move in iV — i.e. new = {qmi \ i G N}. It is straightforward to verify 
that new satisfies further equations given in [23] stipulating that new names 
are distinct from all others, the order in which they are generated is not 
relevant, and that unused names may be ignored. 



Proposition 4. vQ is a categorical model of the nu-calculus in the sense of [23]. 
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As examples we consider two contextual equivalences of the nu-calculus de- 
scribed by Pitts and Stark [22]. The first is vx.Xy.x = y Xy.S. The 

term vx.Xy.x = y : v ^ o \s interpreted by composing new : I ^ N with 
\x \ V \- Xy.x = y] : iV — >■ {N I + I) = 7l(eq) = {miomitt | i G 
N} U {miaTOjff I i,j G N A t yf j}. By the freshness assumption for compo- 
sition the name supplied by new must be distinct from the name supplied by 
Opponent in (iV ^ / -I- /) and so \vx.Xy.x = y] = {yawiff | i G N} = |Ay.ff]. 
(However, these terms do not have the same denotation in the functor category 
model [22].) 

As a second example, we consider the terms Xf \ v ^ o.tt and vx.vy.Xf : 
V ^ o.{f x = f y), which are contextually equivalent in the nu-calculus, but are 
not denotationally equivalent in our model. In the former. Player supplies the 
value tt without querying the agument, in the latter, Player queries the argument 
twice, supplying it with distinct names on each occasion (see Figure 1). They 
can be distinguished in Xv\, for example by the context vz.z := Z] ([•] {Xn.z := 
n))',\z = z which returns tt in the first case and ff in the second. 



I ^ {N ^ I + 1) ^ I + I 

O 

P 

O 

Pi 

Ott 

P3 

Off 

Pff 



Fig. 1. A typical play in \vx.vy.Xf\f x = f y)]. 



4.1 Semantics of the Store 

Our first attempt to give a games model of Xv\ illustrates Stark’s observation 
[22] that having given a correct interpretation of local names, it is quite straight- 
forward to use them to store values. We extend our semantics of the nu-calculus 
to Xi>\ by simply adding an object S — an arena representing the store — to 
the contexts in which terms are interpreted. That is, we interpret F \- M : T as 
a morphism from |T] © S' to |T]. For general reasons this is still a sound model 
of the nu-calculus. 

Definition 10. For any object S, the co-Kleisli category vQs of the co-monad 
-Q S (with triple (_ 0 S, tt;, assoc; <5)J is a closed Freyd category and a model of 
the nu-calculus. 
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To interpret assignment and dereferencing we adapt the approach used in pre- 
vious games models of state [2,4]; we fix the store object S to be the product 
of its “write” and “read” methods: S = {N Q N ^ I) Q {N ^ N)^ . We define 
assignment and dereferencing simply in terms of projections from this product: 
[assign] : S ^ N ^ {N ^ I + I) = tti; ylAr(ylAr(assoc; ini)) and 

|deref] : S ^ N N = tt 2 - We shall label the non-initial moves in the “write” 
component N Q N I as {write(i,j) | i,jG N} (Player moves) and ok (Oppo- 
nent moves), and the non-initial moves in the “read” component {N N) as 
{read(i) | t G N} (Player moves) and {return(j) | j G N} (Opponent moves). 

To determine the behaviour of a program under evaluation we compose it 
with a total strategy store : / — >■ S', which responds to write(z, j) with ok and to 
read(z) with return (j), where j is the last value to have been written to i, if any. 

Given a store S, we define the Azz!-term ass(z,S) : o to be z := j if S{i) = j 
and tt if S{i) f - For a program-in-environment M, {k,S), we define |M, (fc,S)| : 
/ — >■ |r] = (new* © store); [ass(l, S); . . . ; ass(fc,S); M]. 

Lemma 5. The following equations hold: 

- IV (* = IV tt,{k,S[i^ j]j, 

- lP!z,(A:,S)| = lyj,(A:,S)l (S{i^=j). 

Proof. This is by analysis of the interaction between programs and the store 
strategy. 

Proposition 5. M, (fc,S) 1| V, {k' ,S') if and only if for any program Xx.N such 
that k h Xx.N, {{Xx.N M), (fc,S)l = {N[V/x], (A:',S')|. 

Proof. Soundness is established by induction on evaluation, using the equations 
established in Lemma 5 and the properties of irQ as a model of the nu-calculus. 
Adequacy is proved using a standard reducibility predicate argument. 

Corollary 1. For any closed M : o, M tt if and only z/ store; |M] = |tt]. 

4.2 Garbage Collection 

An immediately apparent feature of our model of Xv\ is that interaction with the 
store always remains a visible part of each strategy, even when it takes place in 
a cell which has a private name which is never revealed to the environment. This 
leads to some particularly egregious failures of full abstraction; the denotations 
of vx.x := X and tt are distinct, for example. For the same reason our model also 
lacks the finite definability property. That is, not all of the compact strategies 
on type-objects are denotations. 

We shall solve these problems by refining our semantics via a notion of garbage 
collection — hiding parts of the store which are never globally accessible. We 
define the latter property by stipulating that a name is globally accessible if 
has been revealed outside the store, or in a location which is already globally 
accessible. 

® S corresponds to a N-indexed collection of copies of a “cell” object C = (I ^ 
N) © {N I) [2], to which names act as pointers. 
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Definition 11 . The set of global names of the sequence s € Laqs^b is defined: 
glob(e) = 0, 

glob(sa) = glob(s) U w{a), if a is a move in A or B, 
glob(swrite(i, j)) = glob(s) U {j}, if i G glob(s), 
glob(sa) = glob(s), otherwise. 

We impose an associated condition on legal sequences, requiring that Opponent 
can only use names which are either new or already globally accessible. 

Definition 12 . A sequence s G Laqs^b satisfies the locality requirement if 
for every ta Qodd s, v{a) C (i/(ta) — v{t)) U glob(t). 

The garbage collection of a strategy a : A & S ^ B is obtained by hiding 
interaction with the store strategy in those cells in S which are local in a (a cell 
is local if its name never becomes globally accesible). 

Definition 13 . Given a strategy u and sa Q t € a, we say that a is local in a if 
it has the form write(z, j) or read(f), or is enabled by such a move, and there is 
no t' € a (satisfying the locality requirement) such that sa G t' and i G glob(t'). 

For each s € a, let s\Ioc((t) be the result of erasing all of the occurrences of 
moves from s which are local in a, and let s|'Ioc((t) be the result of erasing all of 
the moves in s which are not local in a. We define the garbage collection of a: 

'y(a) = {t £ Laqs^b \ 3s G a.qa ■ (s|'loc(cr)) G store A s\loc(cr) = t} 

Lemma 6. If a : Aq S ^ B then 7(17) is a well defined strategy on AqS B. 

Proof. We show by induction on sequence length that if sa, tb G 7(17), and s ~ t, 
then there exists s'a, t'b G a such that s' ~ t' and s = s'\loc(cr) and t = t'\\oc{<j) 
and hence sa ~ tb. 

Lemma 7 . For strategies a : A ^ B,t : B ^ C , 7(0-; r) = 7(7(0-); 7(7)). 

Proof. We consider interaction sequences s in a^r C Iaqs,bqs,C (where : 
Aq S ^ B Q S = assoc; {A © < 5 ); (a 0 S)). Note that the freshness assumptions 
on interaction sequences imply that if Opponent obeys the locality condition in 
s f A © S' — >• B and s\B (■) S — >■ C then Opponent obeys the locality condition 
in sfA © S — >■ C. We show that if we erase moves (in both copies of the store) 
which are local with respect to the whole interaction sequence (hence obtaining 
an interaction sequence in 7 (i7)^|7(t)), and then restrict to A © S — >■ C and 
garbage collect, then this is equivalent to restricting s to A©S — >■ C and garbage 
collecting. 

A strategy cr is said to be garbage- collected if 7(17) = cr — i.e ct has no local 
names. We define a category ^vQ of garbage-collected strategies, in which the 
composition of a and r is defined to be 7 (ct;t). Lemma 7 is used to establish 
that this is associative, and that 7 acts as an (identity on objects) functor from 
vQ to ^vQ. From the soundness result for the original model (Proposition 5 ) we 
obtain the following. 
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Proposition 6. M tt if and only if = 7 (|M]^g) = |tt]. 

If T is a i/-free type, then every strategy ct : S' — >■ |T] has no globally acces- 
sible names, and therefore 7 (cr) contains no interaction with the store. So for 
these types, our model is equivalent to (the boolean fragment of) Abramsky and 
McCusker’s model of RML. 

5 Definability and Full Abstraction 

To prove definability of compact strategies in the garbage-collected model, we 
combine two standard proof techniques; factorization of strategies into the com- 
position of a finitary innocent strategy with a series of copies of the new strategy 
and the store, and a proof by decomposition that the innocent strategies are de- 
finable in Ajz! — {new}. Note first that if ct : S' — >■ |T] is compact with respect to 
the inclusion order then both the the length of sequences in a , and the number 
of names introduced in each sequence is bounded. Recall that a strategy a is 
deterministic if so, sb € a implies a = b. Note that a jz-strategy is deterministic 
if and only if it never introduces any new names — i.e. for all s G cr, Pv(s) = 0. 



Lemma 8. Given any compact strategy a : A ^ B, there exists a deterministic 
strategy a : Q A ^ B such that ((new)^ © id^i); a = a. 

Proof. Opponent’s first move in A© — >■ B supplies names ni, . . . , n^. a then 

plays as a except that where a uses a Player-introduced name, a copies one of 
the ni, . . . , rifc. 

We now use a further factorization to reduce the deterministic strategies to 
finitary innocent strategies composed with multiple copies of a strategy cell : 
I {N ^ I + I) Q {I + I ^ N). (A strategy is innocent if its behaviour is 
always determined by the Player view [8,15], an innocent strategy is finitary if 
its set of views is finite.) The cell strategy corresponds to (a lifting of) the cell 
strategy defined in [2] , in the “read component” N ^ I + I it returns the last 
value (if any) written to the “write” component N ^ I + I . 

Lemma 9. Let a : A ^ B be a deterministic compact strategy. Then there 
exists n G N, and a finitary innocent strategy a : {{N ^ I + I) © (/ + / ^ 
jy))m+i Q q ^ ^ such that G = cell™"''^ © new* © id^; g. 

Proof. The proof follows the factorization of a “knowing” strategy into the com- 
position of an innocent strategy and a cell described by Abramsky and McCusker 
[2]. G uses one copy of {N I + I)q{I+I N) as a reference cell to record the 
history of play in A and B, via natural number encoding (we use the additional 
names supplied by Opponent to represent the numbers 1, . . . , n). We require the 
additional reference cells to store the new names introduced by Opponent in the 
course of play, as these cannot be encoded. 

Finally, we prove definability of the finitary innocent strategies. 
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Lemma 10. Given a finitary innocent strategy a : S ^ |T], there exists a term 
: T of Xvl — {new} such that \M^\ = a. 

Proof. We prove this using a decomposition of innocent strategies which closely 
follows Honda and Yoshida’s proof of finite definability for their model of call- 
by- value PCF [7]. The only difference is at the level of first-order functions on 
names, which can compare and copy their inputs, but may not perform any other 
arithmetic operations on them. 

Proposition 7. Every compact strategy on a \v\-type object is definable as a 
term of Xnl. 

Proof. Given a strategy a : S ^ |T], we apply Lemmas 8 and 9 to obtain an 
innocent strategy a' : {{N ^ I + 1) Q {I + 1 ^ 0 S' — >■ |T] such 

that cr = cell™"''^ 0new^+”0 ids; cr' . By Lemma 10, cr' is definable as a term yi : 
V ^ o,Zi : V,..., ym+i ■ ^ o, Zm+i : o^ v.xi : v, . . . , x^+k ■ v h : T. 

Thus we define = 

uxi . ..Xn+k-vwi . . .Wm+i-{{{Xyi . ..ym+i-Xzi. . .Zm+ 1 -M„,) Xu.w :—u) XvAw) 

By a standard argument [8,5], we may now show that observational equivalence 
in Xvl corresponds to the intrinsic equivalence ~ on the model, where f : A ^ 
i? ~ g : A — >■ H if for all : (A ^ H) — >■ J, A{f); ft, = _L if and only if A{g); ft = _L. 

Corollary 2. For all XA-terms M, N -.T, M ■za N if and only if |M] ~ |A^]. 

We thus have a full abstraction result for the quotient of the games model under 
its intrinsic preorder. Note that if |M] and |A^] have no globally accessible 
variables — for example, if M and N are terms of the nu-calculus, or terms over 
name-free types — then |M] ~ |A^] (and thus M « N) if and only if they have 
equal sets of complete plays. (A play is complete [2] if the initial question has 
been answered.) Moreover (unlike the fully abstract model of PCF) observational 
equivalence of compact strategies is decidable. 

Proposition 8. The fully abstract model of XA. is effectively presentable. 

Proof. (Sketch) We first show that we can give an effective presentation of the 
unquotiented model, by giving a finitary representation of compact strategies by 
restriction to the the legal sequences in which names are introduced in numerical 
order, starting with zero. 

We show that the intrinsic preorder and equivalence on these strategies are 
decidable by bounding the size of the strategy required to distinguish between 
given compact strategies. As we have already observed, there are upper bounds 
ff{a) on the length of sequences in a and n(cr) = {|j^(s)| | s € cr} on the number 
of distinct names ocurring in these sequences. 

So suppose cr t — be. there exists p : |T] QS ^ I such that a; p ^ t; p. 
We show that there exists p' : |T] (■) S ^ I + I such that ct; p' yf r; p' and the 
maximum sequence length in p' is max{#(cr), #(r)}.(2n(CT) -I- 2n(r) -I- 1). We 
obtain p' by eliminating from p\ 
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— sequences which do not arise from interaction with a or r, 

— moves in cells with names which never become globally accessible to a or r, 

— multiple assignments to, or dereferences of the same cell without intervening 
play in |T], 

Thus for any play in p', the part which is in |T] — >■ / is no longer than the 
maximal play in ct U r, whilst the part in the store is at most one dereference of, 
and assignment to, each name occurring in ct or r between each pair of moves 
in iTj. 

6 Conclusions and Further Directions 

Several natural questions about our models of local names remain to be an- 
swered. For example, which strategies are the denotations of terms of the pure 
nu-calculus? To characterize them we would need a way of recording the scope 
of each newly introduced name. It seems unlikely, however, that such a full com- 
pleteness result would yield an effective characterization of contextual equiva- 
lence in the nu-calculus. 

There is a more realistic possibility of extending the characterization of ob- 
servational equivalence in \v\, based on our games model. It should, for example, 
be possible to describe the intrinsic equivalence directly, by characterizing equiv- 
alent patterns of behaviour in the store. Recent research [6,19] has succeeded in 
associating games models of fragments of Idealized Algol with various classes of 
formal languages, leading to decidability results for observational equivalence. 
Analogous results may be possible for languages such as \v\. However, to char- 
acterize a finite-state fragment (for example) it would be necessary to restrict 
the ability to generate unbounded sets of new names. In general, observational 
equivalence in \v\ is not decidable, because for types generated from {o, — >■} it 
coincides with that of finitary RML, for which undecidability of observational 
equivalence has been shown by Murawski [17]. 

As we have noted in the introduction, there are many areas in which local 
names play a key role, and which might therefore be studied semantically using 
the approach developed here. Most obviously, the games models of higher-order 
references [4], exceptions [11] and channels [12] could be refined to eliminate bad 
variables. (A complicating factor in the case of references, for example, is that 
names are typed.) This might shed light on the categorical structures required 
to model good variables. We also hope to use the insights into name-passing 
obtained here to study areas such as mobile and global computation, where 
it is fundamental. The obvious analogies between names and secrets such as 
cryptographic keys are suggestive of possible applications in the field of secrecy 
and security. 
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Abstract. We consider a formalism DL for first order Dynamic Logic, 
based on Segerberg’s axioms for modalities, and observe that DL is 
not conservative over Hoare Logic (HL) when the background theory 
is empty, but is conservative if the background theory is the complete 
theory of an expressive structure (in the sense of Cook). We identify 
Peano Arithmetic (PA) as the transition point between these two states 
of affairs: DL is conservative over HL in the presence of a number 
theory that contains PA, and is not conservative for the sub-theories of 
PA with a bound on the complexity of induction formulas. 

We proceed to delineate a natural sub-formalism of DL, with Segerberg’s 
induction restricted to first order formulas, and prove that the resulting 
calculus proves exactly the same partial correctness assertions as HL, 
regardless of the background first order theory. 



1 Introduction 

Hoare-style Logics prove partial correctness assertions (PCAs) about impera- 
tive programs. Their prominent role in program verification is due in part to 
their being syntax-directed: the inference rules follow the inductive buildup of 
programs. As a result, proofs can be be converted into program annotations, 
and inference rules can guide program derivation and transformation. In con- 
trast, some central rules of Dynamic Logics are not syntax directed, allowing 
reasoning that intertwines formulas and programs in complex ways. This added 
complexity is obviously necessary when proving properties of programs that are 
themselves more complex than PCAs, such as [o:*]T — >■ (a*) ^p} But does Dy- 
namic Logic buy us PCA’s that Hoare’s Logic fails to prove? That is, are there 
PCA that are proved in first order logic augmented with Segerberg’s rules for 
program modalities, but are not provable using only PCA’s along the way?^ 
The answer might depend, of course, on the background first order theory 
T, which in the case of Hoare’s Logic manifests itself via the implicational first 
order formulas used in the Rule of Consequence, 

* Research partially supported by NSF grant CCR-CCR-0105651. 

^ I.e., the formula stating that if all iterations of ol terminate then ip is true after some 
iterate. 

^ A formalism for Dynamic Logic considered by Harel [5,6] has an additional inference 
rule, dubbed Convergence. We discuss elsewhere that extension. 
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(p[a]0 

If a Hoare-style logic H is relatively complete for a structure S, and T consists 
of the entire first order theory Th{S) of S, then Cook’s Relative Completeness 
Theorem applies, and already H(T) (i.e. H based on T) proves all PCA’s true 
in S. Unfortunately, this observation is not particularly helpful, because Th{S) 
is not effectively axiomatizable for most structures S of interest. 

Consider then the opposite extreme case, where T is empty, i.e. the Conse- 
quence Rule invokes only implications that are provable in first order logic, no 
axioms added. Even though Dynamic Logic has a far more complex proof theory 
than Hoare Logic, it is not immediately obvious that this difference should ma- 
nifest itself in more PCA’s being proved. In general, extending a formalism with 
extra expressive or deductive power is no guarantee that new theorems of a 
simple form are proved.^ 

We shall show (Theorem 2) that, in fact, DL based on the empty theory 
proves far more PCA’s than Hoare’s Logic based on the empty theory. To fo- 
cus on the essentials, we formulate this and subsequent theorems for a simple 
programming language, namely regular programs with first-order tests and as- 
signments as atomic actions. (Guarded iterative programs, i.e. while programs, 
are definable in terms of these regular programs.) Also, to facilitate comparisons, 
we restrict our attention to the natural numbers as the only data type. 

Since DL is conservative over HL when the background theory T is as strong 
and possible, and not conservative when T is empty, it is natural to ask whether 
there is a theory Tq that demarcates a transition between these two states of 
affair. In Theorem 3 we prove that Peano Arithmetic PA is such a transition 
point: DL(T) is conservative over H(T) for all extensions T of PA, but not 
when T is PA with a bound on the complexity of induction formulas. 

Peano Arithmetic, albeit natural and transparent, is a surprisingly powerful 
theory, because it allows Induction for arbitrarily complex formulas. Thus, for all 
practical purposes Dynamic Logic is not conservative over Hoare’s Logic. One 
would wish, then, to identify a variant of Dynamic Logic that is conservative 
over Hoare Logic for any background theory. In Theorem 7 we identify such 
a variant, obtained simply by restricting Segerberg’s Induction to first order 
eigen- formulas, that is, with no reference to programs. 

Theorem 7 is our main result, both technically and for its practical potentials. 
The main difficulty is in showing that Segerberg’s Induction, 



® For example, extending Peano Arithmetic with all true II i sentences yields a theory 
vastly more powerful than PA, but without any new provably recursive functions 

[ 7 ]. 
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(with if program-free) does not prove more PCA’s than the Invariance Rule of 
Hoare Logic for regular programs, 



This is far from obvious, because the premise of the Invariance Rule requires 
ip to be an invariant of ol in all states, whereas in the premise of Segerberg’s 
Induction ip needs to be invariant under ot just in states reached by iterated 
execution of ol. 

2 Dynamic Logic and Arithmetic 

2.1 Dynamic Logic over Regular Programs 

To focus on the essentials, we refer to the simplest non-trivial imperative pro- 
gramming language, namely regular programs over assignments, with first-order 
tests [12,6]. That is, we fix a vocabulary V (a finite set of function and relational 
identifiers, each assigned a non-negative integer as an arity). Let A be the set of 
V -assignments, that is expressions of the form x := t, where t is a R-term. The 
set P of R-regular programs is generated inductively by the following clauses for 
abstract syntax. 



A 9 a (R-assignments) 

<P B F (first order R-formulas) 

P 5 a ::= a |?F \ ol\ol \ ol ij a \ ol* 

As usual, guarded iterative programs (“while programs”) are definable by pro- 
grams in P: skip = ?T, abort = ?T, (if F then ol) else /3 = (?F; ol) U 

(?-'F; /3), and (while F do a) = (IF; a)*; (?-iF). Given a R-structure S, 
the semantics of programs a is defined by a straightforward recurrence on the 
complexity of ot (see e.g. [6]). 

A DL formula of the form p^[oL]'ip, with p and '0 first-order, is said to be a 
partial- correctness assertion (PCA). It is often useful to abbreviate the formula 
above by <p[o:]0. The first-order formula p is dubbed the PC As pre-condition, 
and 0 is its post-condition. 

The following are the rules of the deductive calculus DL for Dynamic Logic, 
to be added to a deductive calculus for first order logic. The rules are due to 
Segerberg, who formulated them for Propositional Dynamic Logic (see [12], [6, 
§5.5]). 

I Axiom-templates and rules for programs in general. These are the rules of the 
rudimentary modal logic K: 

Box Distribution: [o:](:^— >-0) — >■ ([a]<p— [a]0). 

I" y 

h [ol]p 



Generalization (Necessitation) : 
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II Rules for atomic programs; these define the intended meaning of atomic pro- 
grams in terms of first order logic: 

Assignment: [x := t]<p[x] O <^[t] 

Test: [lx\v ^ ix^v) 

III Syntax directed rules for regular-program constructs; these relate the mea- 
ning of [cc] for a compound program a to the meaning of [j3] for the imme- 
diate components /3 of a. 

Composition: [cc; /3]<p O [o;][/3]<p 

Branching: [a U /3]y3 O [a]<p A [/3]<p 

Iteration: [«*]¥’ ^ A [a][a*](p 

IV Induction; this schema conveys the inductive meaning of the iteration ope- 
rator *: 

[«*](¥> ^ Mv’) ^ ^ [alv’) 

If T is a first order V-theory, we write DL(T) for the deductive calculus 
above, based on first order logic, and using T as axioms. We refer to T as the 
background theory. 

2.2 An Interpretation of Peano Arithmetic in Dynamic Logic 

While Dynamic Logic is intended as a logical formalism, that is with arbitrary 
relational structures as potential universes, the semantic of iteration is defined as 
standard iteration, i.e. with natural numbers as counters. This makes it possible 
to enforce natural numbers as values for variables. Namely, the modal opera- 
tor [N(a:)], where N(x) is the program x := 0; (x := s(x))* (with s denoting 
the successor function), forces x to range precisely over the natural numbers 
in its scope. That is, [N(a;)]</3 is true in a structure S and an environment ij 
therein iff the formula Vx. N(x) — >■ ip is true in that environment with the 
unary identifier N interpreted as the set of denotations in S of the numerals 
0,s(0),s(s(0)),... ,sN(o),.... 

Peano Arithmetic (PA ) is the first order theory over the vocabulary consi- 
sting of identifiers for 0, s (the successor function), -|- and x. There are three 
groups of axioms: 

1. The two separation axioms for N, i.e. Peano’s Third and Fourth Axioms 

Vx.s(x)yf0 and \/x,y. s{x)=s{y) ^ x = y 

2. The defining recurrence equations for addition and multiplication. 

3. All instances of the schema of Induction, 



Vx. (<p[x] — >-<p[sx]) — >■ (yj[0] — >-Vx. y>[x]) 
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It will be convenient to consider a definitional extension of Peano Arithmetic, as 
follows. It is well known that there are canonical arithmetization of syntax for 
which the basic syntactic operations, such as term substitution and correctness of 
inferences, are represented by primitive recursive (in fact, elementary-recursive) 
functions. We posit function identifiers for these functions (as well as for the 
auxiliary functions used to define them), and stipulate that Peano Arithmetic 
has as axioms all defining primitive-recursion equations for these functions. We 
write V for the conjunction of the separation axioms and the defining equations 
for the functions of the theory. 

We interpret PA in DL as follows, writing for the DL formula that 
interprets a PA formula p. An equation t = t' is interpreted as itself. Our inter- 
pretation commutes with the propositional connectives: =df 

etc. Quantifiers are interpreted using the modal operators: (\/x.p)^ =df 
[N(x)](¥?^), and {3x.p)^ =df (N(a;))((p^). 

Theorem 1. Let p he a closed formula in the language of PA as above. 

1. p is true in the standard model of arithmetic iffv~>p^ is valid. 

2. p is a theorem of PA iff u^p^ is provable in DL. 

Proof Outline. The proof of (1) is by a straightforward induction on the struc- 
ture of p. 

The forward direction of (2) is proved by induction on the PA proof of p. 
The only interesting case is Induction, i.e. with p of the form 

Vx {^p[x]^-^p[sx]) — >■ (■0[O] — >-Vx tplx]) 



Then p^ is 

[x := 0 ; {x := s{x))*]{^p^[x]^1p^[s{x)]) — >■ — >• [x := 0 ; (x := s(x))*]-i/?[x] 

By the Box-Distribution rule of DL, it suffices to prove 

[(x := s(x))*](<p^[x]^V^^[s(x)]) ^ p^[x] ^ [(x := s(x))*]<p[x] 

or, equivalently (by the Assignment Rule), 

[(x := s(x))*]((p^[x]^[x := s(x)]<y5^[x]) ^ (^^[x] [(x := s(x))*]¥?[x] 

But this is an instance of Segerberg’s Induction Schema of DL. 

The backward direction of (2) is proved by interpreting DL in Peano’s Arith- 
metic. This has been done, e.g., in [1,3,4]. H 

Note that our interpretation of PA in DL does not use quantification in DL. 
This is because all basic data is generated inductively, and so can be referred 
to as the output of a program. This does not show, however, that quantification 
is generally redundant in Dynamic Logic. For example, DL specifications for 
programs over graphs would naturally use quantifiers over vertices and edges. 
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The use of the nondeterministic * operator in the program N(a;) is not es- 
sential here. We could use instead the deterministic program 

N'(x) = y := x; while y 0 do y := y — 1 end 

We would then interpret Wx-ip by Vcc. [N'(a;)] (p^ . Of course, in the absence of 
nondeterministic program constructs we can no longer dispense with quantifiers. 



2.3 Interpreting Inductive Algebras 

We can use DL modalities to force variables to range over any given inductively 
generated algebra. For example, the set E* of words over a finite alphabet E 
can be identified with the free algebra generated from the constant e, denoting 
the empty word, and, for each a G E, a, unary function identifier a. For the case 
E = {0, 1} the constructors are the 0-ary e and the unary 0 and 1. A word such 
as Oil is represented in the algebra as 0(l(l(e))). 

Define now a program analogous to N(x): 

W{o,i}(a;) = a: := e; ((a; := 0(x)) U (x := l(a;)))* 

Then [W{o,i}(2;)] is true in a structure S and environment rj therein exactly 
when (p is true for all denotations of terms representing {0, 1}*. 

The definition is similar for arbitrary word algebras E, and, indeed, for any 
free algebra. Multi-sorted free algebras can also be represented by such iterative 
programs. For example, to have x range over the algebra of lists over N, with A 
denoting Nil and c denoting cons, we use the program 

Lv(a;) = X := A; {y :=0 ; {y := s(y))*; x := c{y, x))* 

It is not hard to prove for every inductive algebra (even multi-sorted) state- 
ments analogous to the two parts of Theorem 1. We shall not have use for these 
generalizations here. 



3 Dynamic Logic vs. Hoare’s Logic: The Role of the 
Background Theory 

3.1 Hoare’s Logic for Regular Programs 

Let V he a vocabulary, and T a F-theory, all of whose axioms are closed for- 
mulas. We define a Hoare calculus H*(T) for reasoning about PCAs for regular 
L-programs with assignments. The distinctive feature of a Hoare logic is the 
reference to only PCAs and first-order P-formulas. 

In the following, h stands for provability in first-order logic (for example, 
using natural deduction derivations). The inference rules are as follows. 
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Assignment 


{t/x}ip [x 


:=t] ip 


Composition 


0 [a] X 


X [/3] ¥> 


0 [or, (3] 


Branching 


0 [a] if 


0 [f3] ip 


0 [a U /3] 


Iteration 

Query 


if [ol] p> 

p> [a*] if 


X quantifier-free 


A>[^-xW 


Pre-consequence 


[a] 


T h 0' ^ 0 


0' 


[a] ip 


Post-consequence 


0 [a] if 


T \- ip ^ ip' 


0 [ 


a] ip' 



A formalism H(T) for reasoning about PCAs for guarded iterative programs 
is obtained by replacing the rules for Branching, Query, and Iteration by rules 
for the remaining program constructs of guarded iterative programs. The rules 
are exhibited in the following table. 



Skip 


ip [skip] ip 




Abort 


ip [abort] _L 




Cases 


(0 A x) [a] p> 


(0 A -.x) [/3] ¥> 


0 [ if X then 

(¥> Ax) [ 


Q! else (3 ] ip 
a] ip 




Iteration 


ip [while X do 


a] (<P A -.x) 



If a is a regular P-program and T is a P-theory, we write T \~h '4’ ^ 

when '0 [a] ip is derivable in H*(T). 
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3.2 The Cases of Maximal and Minimal Background Theories 

The largest possible first-order theory T for the structure J\f is the set Th{Af) of 
all ^-formulas that are true in the standard model Af for the natural numbers 
(with function identifiers interpreted as the primitive recursive functions they 
are intended to denote). For this choice of T, H(T) proves exactly the PCA’s 
that are true in Af, by Cook’s Relative Completeness Theorem [2]. Since DL(T) 
is sound for Af, it cannot possibly prove additional PCA’s. 

At the other extreme we have as T the empty theory. The proof theory of 
DL is far richer and more complex than that of Hoare’s Logic, but (as discussed 
in the Introduction) this by itself does not necessarily imply that more PCA’s 
are proved in DL. The needed link between proof theoretic power and PCA’s is 
provided by the following. 

Theorem 2. In the absence of a background theory, first order dynamic logic 
is not conservative over Hoare ’s Logic: there are PC A ’s that are provable in 
Dynamic Logic, but not in Hoare’s Logic. 



Proof Outline. For fc ^ 0, let PA^ be Peano Arithmetic with Induction re- 
stricted to Ilk formulas. Let x be a universal sentence of the form Vx.t[a;] = 0 
which is a theorem of PA but not of PAi, for example a sentence expressing the 
consistency of PAi, i.e. the fact that no x codes a proof for PAi h _L. Referring 
to the interpretation above of DL in PA, is the PCA [N(x)](t = 0), and so 
the PCA 



7T =df Iv[N(x)](t = 0) 



is provable in DL(0). 

Towards contradiction, suppose that tt is provable in H(0). By [8], there are 
then first order formulas for which the first order formula 

(i^ A Ai(aAf[^,]-;^|Ja;])) -)> t[x] = 0 

is provable (in first order logic!), where 

CIn[£.] =df C[0] A V0.^[z]-;>C[S2] 

For each numeral h, the formula ClN[$.i] — has a trivial n-step proof, so 
for each n G N we obtain a first order proof of — >■ t[h] = 0. Moreover, 

normalizing yields a proof purely in the language of Peano Arithmetic. This 
entire argument is formalizable in PAi, with the conclusion that PAi proves 
Vx.t[x] = 0, contradicting the choice of t. H 

Note. The use of the nondeterministic program N(x) is, again, inessential here; 
the argument above can be modified to use the program N'(a;) instead, albeit 
with some loss of elegance. 
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3.3 The Boundary of Conservativeness Is Peano’s Arithmetic 

We have seen that DL is conservative over H in the presence of the complete first 
order theory Th(Af) of Af, but is not conservative over H when the background 
theory is empty. It is natural to ask for a transition point. 

Since the proof theoretic power of DL itself is akin to that of Peano Arithme- 
tic, as illustrated by the results of [1,3,4], it is not surprising that the transition 
point is Peano Arithmetic. 

Theorem 3. Let T be a subtheory of Th{J\f). 

1. 7/T ccontains Peano Arithmetic, then DL(T) is conservative over H(T). 

2. DL(PAfe) (or even DL(0)^ is not conservative over H(PAfc). 

Proof Outline. A straightforward approach for proving (1) is to emulate the 
proof of Cook’s Relative Completeness Theorem, replacing the property “true 
in Af” by “provable in DL(T).” However, this approach cannot work verbatim: 
our axiomatization of DL (contrary to Harel’s [5]) allows non-standard models 
for DL(T) (no matter what T is), and so we cannot have a provable variant of 
expressiveness: there is no first order formula '4>[x\ such that DL(T) h ■0[a;] O 
{N{y)) y = x. 

Thus, we take a slightly different approach, and refer directly to first order 
rendition of program semantics, rather than of weakest-preconditions. For each 
regular program ct, over variables x , one defines a first order formula fJ^dx , u] of 
PA that coveys the input /output semantics of the program ct over the structure 
Af. For instance, /x^.^[a; , u] is defined as 3z . ix„,,[x , z]/\^ip[z , w], and [x , v] 
is defined from /x^ using sequence-coding. By induction on a, one then proves 
that for all first-order formulas ip, 

H(PA) h (Vv./x„[a;, z;]-^¥j[x;]) [a] p[x] (1) 

Also, all axioms of DL become provable in PA under the interpretation of 
formulas ([o:]^)[y] as Vw./x^[y, u] — >• C[^j; £^nd the generalization rule of DL 
becomes a derived rule of PA under that interpretation. Since T contains PA, 
it follows that if DL(T) proves a PCA p[o^]^p, where the free variables in a 
are among x, then the formula A /x^[x, w] — >■ {v / xy-if is provable in T. 
Combining this with (1), we obtain by the rule of Pre-Consequence of H that 
p[a.]^p is provable in H(PA). 

The proof of (2) is similar to the proof of Theorem 2. H 

4 A Dynamic Logic Conservative over Hoare’s Logic 
4.1 The Dynamic Logic DLfo 

The expressiveness of Dynamic Logic is far greater than that of Hoare’s Logic, 
a gain which is valuable on many counts. For example, consider the extension 
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of Hoare’s Logic to account for recursive procedures. The added inference ru- 
les refer (at least implicitly) to implications between PCA’s, rather than only 
to PCA’s and first order formulas. However, Hoare’s logic has the advantage 
of being syntax directed, so formal program annotations may be viewed as a 
syntactic variant of Hoare’s Logic. Reconciling Dynamic Logic and Hoare’s Lo- 
gic is therefore of both theoretical and practical interest. 

We have seen in Theorem 3 that this can be done when the background 
theory is as powerful as PA. However, from a computational viewpoint, Peano 
Arithmetic is an exceedingly powerful theory. Theorem 3 shows, therefore, that 
from a practical viewpoint Dynamic Logic is far too powerful. 

We therefore consider an alternative approach for reconciling Dynamic Logic 
with Hoare Logic, namely weakening the deductive power of Dynamic Logic, to 
match that of Hoare’s Logic. It is natural to consider here Dynamic Logic with 
Segerberg’s Induction restricted to first-order (i.e. program free) formulas. We 
write DLfo for DL so restricted. 

At first blush, it is far from clear that this restriction is going far enough. 
Segerberg’s Induction, 



even with ip program- free, has a premise that refers to states reachable by ite- 
rated execution of ct. This premise is weaker than the premise of the Invariance 
Rule of Hoare Logic, 

ip[a*]ip 

Thus, the restricted form of Segerberg’s induction is stronger than the Invari- 
ance Rule. Nonetheless, we show that when it comes to proving PCA’s, DLfo is 
conservative over Hoare’s Logic, regardless of the background theory. 

This said, we will use an auxiliary deductive calculus DLjter, formally weaker 
than DLfo, in which Segerberg’s Induction is replaced by a rule of iteration: 

h ip[ot*]ip 

We will not only tie Hoare’s Logic with DLfo, but with a weak formalism 
for second order logic, namely the Gentzen-Prawitz deductive calculus for logic 
with relational quantification, but with comprehension restricted to first order 
formulas. 



4.2 Explicit Rendition of Program Semantics 

The operational semantics of programs ct G P can be defined explicitly within 
an extension of first order logic with relational variables and quantification over 
them (rather than via a numeric coding, as in the definition of the formulas 
above). For each program a whose variables are among x = xi . . . a;^, we define 
a formula u] with free variables among the 2k distinct variables 
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X and V = v\ . . . Vk, with the following property. For every t^-gtructure S, and 
every environment rj therein, S,r] |= Mj^[x , v] iff there is an execution of ct 
starting in environment rj and terminating in environment rj[x := ijv]. 



For a = Xi := t[x] 


Ml[x,v] 


= v^ = t[x]A/\j^^Vj =Xj 


OL = lq[x] 


Ml[x, v] 


= q[x] A V = X 


P 

III 


Mj;[x, v] 


III 

LU 

e 1 

yi 

> 

^1 


a= /3 U 7 


Ml;[x,v] 


III 

^1 

< 

?r 

^1 


P 

III 

* 


Ml;[x,v] 


= VQ.Q(m) AC1^[Q] ^Q(v) 




where Cl^ [Q] 


= \f z ,w. 




Q{z) A Mjllzjw] -A Q{w) 



We omit the superscript k when in no danger of confusion. 



4.3 Explicit Rendition of Dynamic Logic Formulas 

It is obvious how to use the formulas Mq, above to obtain an explicit rendition 
“ip” for each DL formula ip. Namely, if all variables in a. are among x = x\ . . . Xk, 
then [ot\ip is rendered by 

“\a\ip” =df Mv . Ma[x,v]^ 

Here v = vi ... Vk are fresh variables, mutually distinct and different from x, 
and ip[v] stands for the result {v / x} ip of simultaneously substitution v in ip 
for all free occurrences of x . 

Now, given any deductive calculus L whose underlying language includes 
relational quantification, we can speak of the partial correctness theory of L, 
PCAfL), namely the collection of those PCAs ip[o^]^p whose explicit rendition 
“ip[cy.]ip” is provable in L. This definition has nothing to do with the proof theo- 
retic strength of L: it can be spectacularly powerful, say logic in all finite types, 
or extremely weak, such as second order logic with comprehension restricted to 
quantifier free formulas. 

4.4 Proof Formalisms for Second Order Logic 

Since the set of valid second order formulas is not RE, there is no sound and 
complete proof system for the language. Nonetheless, a widely used natural for- 
malism for second order logic is obtained by extending first order logic with 
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variables and quantifiers over relations, and with the “set existence” (so-called 
Comprehension) schema 

yx3R\/u. R{u) ^ '4>[u, x] i? not free in i/j (2) 



This schema may be conveyed by inference rules for relational quantifiers. 
For natural deduction the rules for universal quantification over relations are 



y[Q] 

\/Rip[R] 



yRif[R] 

(p[Xxip]) 



{Var{xjj) C x) 



Here ^p[\xxp] stands for the result of replacing every subformula i?(ti . . .t^) of 

(p by { t / x}ip. For the introduction rule one stipulates that Q is not free in 
open assumptions, 

Let L 2 be the formalism for second order logic, as above. Trivially, L 2 is sound 
for the standard semantics of the relational variables. Although not complete, L 2 
is a powerful formalism, e.g. full second order arithmetic (i.e. Classical Analysis) 
is interpretable in it (see e.g. [11]). 

Of considerable interest are sub-formalisms of L 2 in which comprehension 
is restricted to a class C of formulas, with no variables other than the ones 
referred to in the Comprehension Schema. Alternatively, one requires that the 
eigen- formula ip in the rule of relational V-elimination, be in C. We focus here 
on the case where comprehension is restricted to first order predicates, whose 
parameters are global to the proof. That is, 

3i?VM. R{u) O ip[u, x] ^p first-order, R not free in ip (3) 



The “global parameters” x will correspond to the free variables occurring in 
pre- and post-conditions of PCA’s. 



4.5 The Formalism L^. 

We refer to first order logic with a distinction between variables, for which we 
use u,v,w,Ui . . . , and (global) parameters, for which we use x,y,Xi . . . ^ Terms 
are built using both variables and parameters, but the parameters are “global 
to the proof”, and are not quantified. This distinction is useful in conveying the 
restricted comprehension schema (3) by the inference rules below for relational 
quantification. 

We refer to the following sequential calculus. By sequent we mean is a pair, 
written F A, where F and A are finite sets of formulas. Such sequent is 
initial if T U Z\ yf 0. Referring to implication and universal quantification as the 
only logical operation aside from the logical constants T and T (which is no loss 

Parameters will correspond to the free variables of pre- and post-conditions of PCA’s. 
By referring to parameters we will be able to state an appropriate set existence 
principle, which refer to formulas with parameters, but no free variables. 
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of generality since the logic is classical), the inference rules are as follows. As 
usual, we write F, ip for F L) {p} (note that p £ F is not excluded). 



F, p A F Z\, 
F,xj}^p A 

F, (p[t] A 
F,yu.p[u] A 

t a term substitutable for u in p 

F, p[\u.^p] A 

F,yR.p[R] A 

R a relational variable 
arity{z) = arity{R) 
xp first-order 

with all free variables among z 
(arbitrary parameters allowed) 



F,xf 


A,p 


F=> 


■ A,xp^p 


F = 




F 


A, 'iu.p[vi\ 


V not free in F, A 


F = 





F => A,yR.p[R] 
arity {Q)=arity (R), 
Q not free in F, A 



Theorem 4. If a DL formula p is provable in DLjter(T), then the second order 
formula “p” is provable in L 2 from T. 

The proof is by induction on the proof of p in DLjter, and bears similarity 
to the proof in [8] that if a PCA P is provable in DL(T) then “P” is provable 
in L2 from T. 

4.6 DLiter^ L 2 ’ Hoare’s Logic 

Theorem 5. Let T be a first order theory, tt a PCA. The following conditions 
are equivalent. 

1. TV is provable in H(T). 

2. 7T is provable in DLjter(T). 

3. “tt” is provable in from T. 

Proof. (1) implies (2) trivially. Theorem 4 establishes that (2) implies (3). (3) 
implies (1) by the main result of [8]. (An alternative proof for the latter, using 
a different method, is give in [9].) H 

4.7 DLfo Is Conservative over Hoare’s Logic 

Theorem 6. For every first order theory T, DLfo(T) is conservative over 
DLiter(T) for PCA’s. 
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The proof uses an analysis of the structure of natural deduction derivations 
for DLfo, and will be given in the full paper. (It bears similarity to the proof in 
[10, Lemma 2] that the one-quantifier induction schema is conservative over the 
one-quantifier induction rule for TT® sentences.) 

Combining Theorems 6 and 5, we obtain 

Theorem 7. Let T he a first order theory. DLfo(T) is eonservative over H(T); 
that is, every PC A provable in DLfo(T) is provable in H(T). 
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Abstract. We show how to generate well-founded and stable term 
orderings based on polynomial interpretations over the real numbers. 
Monotonicity (another usual requirement in termination proofs) can, 
then, be gradually introduced in the interpretations to deal with 
different applications. For instance, the dependency pairs method for 
proving termination of rewriting, and some restrictions of the rewrite 
relation which are not monotonic in all arguments of the function 
symbols, can benefit from this approach. The latter is the case for 
context-sensitive rewriting (CSR), a simple restriction of rewriting 
which has been proved useful for describing the semantics of several 
programming languages (e.g., Maude) and analyzing the properties of 
the corresponding programs. We show how to automatically generate 
polynomial interpretations over the real numbers for proving termination 
of CSR. 

Keywords: Programming languages, rewriting, termination. 



1 Introduction 

Context-sensitive rewriting (CSR [12]) is a simple restriction of rewriting which 
can be used to analyze termination of programs of programming languages such 
as Maude, 0BJ2, 0BJ3, and CafeOBJ (see [13] for further details and examples). 
In CSR, a replacement map /i discriminates, for each symbol of the signature, the 
argument positions /i(/) on which replacements are allowed. This can improve 
the termination behavior of programs by pruning (all) infinite rewrite sequences. 

Example 1. Consider the TRS TZ: 

nats — > adx(zeros) adx(x:y) — >■ incr (x : adx(y) ) 

zeros — >■ 0:zeros incr(x:y) — > s(x):incr(y) 

hd(x:y) — >■ x tl(x:y) — > y 

together with /i(:) = fi{s) = 0 and /i(incr) = /i(adx) = /x(hd) = pi(tl) = {1} 
[9, Section 1]. Due to /i(:) = 0, the infinite rewrite sequence 
zeros — 0 : zeros —>■••• 
is not possible with CSR. 

* Work partially supported by CICYT TIC2001-2705-C03-01. 
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Termination of rewriting is undecidable and lot of research has been devoted 
to develop methods and heuristics to achieve proofs of termination in restricted 
cases. Polynomial interpretations and the corresponding reduction orderings [11] 
are well-suited to achieve automatic or semiautomatic proofs of termination of 
rewriting [3,6,11,14]. The use of polynomial interpretations has been proposed 
in [8] as a suitable tool for proving ^-termination, i.e., termination of CSR un- 
der a given replacement map /x. In [8], we consider polynomial interpretations 
consisting of a polynomial [/] on k variables for each fc-ary symbol /, whose 
coefficients are integers. Such polynomials are actually intended to induce map- 
pings [/] : — >■ N ranging on (and returning) non-negative integers. The poly- 

nomial interpretations must also be /x-monotonic, i.e., whenever x >n y, we 
have [f]{xi, . . . ,Xi-i,x , ... ,Xfc) >n . . . ,Xi-i,y , ... ,Xk) for all symbols 

f € J-, i € /x(/) and x, y, Xi, . . . , G N. Then, the interpretation of symbols is 
homomorphically extended to terms t (where variable symbols are interpreted 
as variables ranging in N) and an ordering > on terms is defined by t > s, if 

[f] >N [s] for all xi, . . . , x„ G N, where xi, . . . , x„ are the variables occurring in 
t or s. Now, if / > r for every rule I ^ r of the TRS TZ, then TZ is ^-terminating. 

Example 2. Consider the TRS TZ: 

g(x) — 5- h(x) h(d) — ^ g(c) 

c — > d 

together with ^(g) = /x(h) = 0 [15, Example 1] (see also [9, Example 16]). 
By using the results in [8], we prove the /x-termination of TZ with the following 
polynomial interpretation: 

[g] (x) = x^ — 3x -I- 4 [c] = 1 

[h] (x) = x^ — 3x -I- 3 [d] = 0 

The use of negative coefficients in the interpretation is crucial in this example. 

The restrictions imposed in [8] for the considered polynomial interpretations 
are quite usual; moreover, with the early remarkable exception of [5], the poly- 
nomials considered in the literature are further restricted to use non-negative 
integer coefficients [3,11,2,16]. This is due to the need to interpret the terms on 
a well-founded domain (e.g., (N, >n)). This guarantees that > is a well-founded 
ordering on terms, hence suitable for termination proofs. 

In this paper we show how to overcome these limitations to use more general 
polynomials which are suitable to, e.g., prove termination of CSR. 

Example 3. The ^-termination of TZ in Example 1 can be proved by using the 
following polynomial interpretation: 

[nats] = 9 [incr](x) = x-|-2 x [:] y = ^x ^y 

[adx](x) = X -I- 6 [s](x) = 0 [tl](x) = 2x -I- 1 

[zeros] = 2 [hd](x) = 2x -|- 1 [0] = 0 

which, as we will show, can be computed automatically (see Example 10 below). 
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The framework described in [8] does not apply to polynomial interpretations 
like that of Example 3 where rational coefficients occur in the polynomials. The 
main problem is that the set of real (or rational) numbers is not well-founded. 
Therefore, a term ordering induced by an interpretation mapping terms into, 
e.g., rational numbers is not guaranteed to be well-founded. On the other hand, 
the ^-termination of TZ in Example 1 cannot be proved within the framework 
for polynomial termination of CSR given in [8] . 

In this paper, we use a general technique to obtain stable and well-founded 
term orderings by using interpretations of function symbols / as real functions 
[/] : — >■ R (not necessarily polynomials). Then, we show how to ensure 

(/i-) monotonicity of such orderings thus making them (/x-)reduction orderings 
and suitable for proving (/x-)termination of TRSs (Section 3). We discuss how 
to use this methodology as a basis for proving termination of CSR by means of 
(more general) polynomial interpretations (Section 4). The framework in [8] can 
now be seen as a particular case of the new framework. Our extended class of 
polynomial interpretations provides a powerful tool for proving termination of 
CSR. For instance, all examples of termination of CSR in [9] (the most recent 
paper on the topic) can be proved now by using our polynomial interpretations. 
In Section 5, we discuss how to automatically obtain our polynomial interpre- 
tations. This is the first time that the automatic generation of direct proofs of 
termination of CSR is implemented: We have implemented our technique as 
part of the tool mu-term, see 

http : //www . dsic . upv . es/~slucas/csr/termination/muterm. 



2 Preliminaries 

Let N, Z, Q, and K be the sets of natural, integer, rational and real numbers, 
respectively; given one of such sets N and z £ N , we let = {x £ N \ x > z} 
and = {x £ N \ x > z}. Given a set A, P{A) denotes the set of all 
subsets of A. A binary relation i? on a set A is terminating if there is no infinite 
sequence a\ R a 2 R ■ ■ ■ . Throughout the paper, X denotes a countable set of 
variables and T denotes a signature, i.e., a set of function symbols {/, 5, ■ . ■ }, 
each having a fixed arity given by a mapping or : .7^ — >■ N. The set of terms built 
from T and X is T{!F,X). Terms are viewed as labelled trees in the usual way. 
Positions p,q, . . . are represented by chains of positive natural numbers used to 
address subterms of t. We denote the empty chain by A. Given positions p, q, 
we denote its concatenation as p.q. If p is a position, and Q is a set of positions, 
p.Q = {p.q I q G Q}. The set of positions of a term t is Vos{t). The subterm 
at position p of t is denoted as t\p and t[s]p is the term t with the subterm at 
position p replaced by s. The symbol labelling the root of t is denoted as root{t). 

A rewrite rule is an ordered pair (l,r), written I — >■ r, with l,r £ ^{T^X), 
I ^ X and Var(r) C Var{l). The left-hand side {Ihs) of the rule is I and r is the 
right-hand side (rhs). A TRS is a pair TZ = (iF, R) where i? is a set of rewrite 
rules. A term t G T{iF, X) rewrites to s (at position p), written t A-n s (or just 
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t — >■ s), if t\p = a{l) and s = t[a{r)]p, for some rule p : I ^ r G R, p G Vos{t) 
and substitution cr. A TRS is terminating if -G is terminating. 

2.1 Context-Sensitive Rewriting 

A mapping /x : iF — F(N) is a replacement map (or iF-map) if V/ G iF, /i(/) C 
{1, . . . , ar(/)} [12]. The set of p-replacing positions Vos^{t) of t G T{T, X) is: 
Fos^(t) = {A}, iitGX and Vos^{t) = {d} U Uie^Rootli)) bFos'^(t|i), iit^X. 
In context-sensitive rewriting {CSR [12]), we (only) contract replacing redexes: 
t /x-rewrites to s, written t s, if t s and p G Pos^(t). 

Example 4- Consider TZ and /x as in Example 1. Then, we have: 
hd( zeros ) hd(0:zeros) 0 

Since 1.2 ^ Fos'^(hd(0 :zeros)), redex zeros cannot be further /x-rewritten in 
hd(0 : zeros) . 

A TRS TZ is ^-terminating if is terminating. 

3 Algebras over the Reals and Reduction Orderings 

An ordering > on a set A is well-founded if it admits no infinite chain ai > 
02 > • • • > o„ > • • • . Given a mapping / : — >■ A and i G {1, . . . , k}, we 

say that > is monotonic on the x-th argument of / if, whenever x > y, we have 
/(xi, . . . ,Xi-i,x , ... ,Xk) > /(xi, . . . ,Xj_i,y, ... ,Xfc) for all x,y,xi , . .. ,Xk G 
A. The problem of proving termination of a TRS is equivalent to finding a well- 
founded, stable, and monotonic (strict) ordering > on terms (i.e., a reduction 
ordering) which is compatible with the rules of the TRS, i.e., such that I > r for 
all rules 1 — >■ r of the TRS. Here, monotonic means that, for all fc-ary symbol / 
and X G {1, . . . , k}, > is monotonic on the x-th argument of /, when / is viewed 
as a mapping / : T(iF, A)^ — >■ T(iF, X). Stable means that, whenever t > s, we 
have a{t) > ct(s) for all terms t, s and substitutions cr. 

Reduction orderings can be obtained by giving appropriate interpretations to 
the function symbols of the signature. Given a signature TF, an ordered .F-algebra, 
is a triple (A,.F^, >a), where A is a set, Ea is a set of mappings Ja'A^^A 
for each f G E where k = ar{f), and >a is a (strict) ordering on A. For a 
given valuation mapping a : X ^ A, the evaluation mapping [a] : T{E,X) -G 
A is inductively defined by [a](x) = a(x) if x G A and [a]{f{ti,... ,tk)) = 
fA{[a]{ti),... ,[a]{tk)) for X G X, f G E, h, ... ,tk G T{E,X). Then, we can 
define an ordering > on terms given by t > s if and only [a](t) >a [cr](s )5 for all 
a : A — >• A. If >a is well-founded, then > also is [16, Section 6.2.1]. 

In this paper we are interested in using real functions over real numbers to 
define reduction orderings. We say that A = (A, Ea) is an .F-algebra over the 
reals if A C K. Given m G K and A C R, we say that /a : A^ — >■ A is m-bounded 
if /^(xi, . . . , Xfc) > rrx for all xi, . . . ,Xk G A. If there exists m G M such that, Ja 
is TO-bounded for all / G F, then we say that A = (A, Ea) is m-bounded. The 
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order (Rto,>r) is not well-founded for any to G K. However, as in [10], given 
S G K>o, we use the following (strict) ordering on the set of real numbers: 

Vcc, y G M, a: >5 j/ if and only if x — y >r <5 

Thus, we have the following. 

Theorem 1. Let T be a signature, H C K, to G K, .4 = {A,Ta) he an m- 
hounded T -algebra, and S G M>o- Then, the relation >s on terms given by 

t >s s : X ^ A, [o;](t) — [a](s) > S 

is a well-founded and stable (strict) ordering on T{fF,X). 

In order to use an ordering >,5 (induced by an m-bounded algebra) for proving 
termination of rewriting, we have to further ensure that >s is monotonic. The 
following example shows the use of Theorem 1 to prove termination of TRSs. 

Example 5. Consider the following TRS TZ [16, Example 6.2.22]: 
f(f(x)) — >• f(g(f(x))) 

and the 0-bounded algebra {A,Ta), where A = Ko> fA(x) = [a;] -I- 5 
and gy^(a:) = \x\ (here, [cc] is the least integer above -or equal to- x and [a;] is 
the integer part of x). Note that >1 is monotonic: if t >1 s, then [a](t) > [a](s)-|-l 
for all valuations a : X ^ A] hence, since [a;-l-lj = +1 and [a; -1-1] = [a;] -1-1, 

we have [a](f (t)) — [o;](f (s)) = ]"H(t)l — rH(s)l > fH(s)-l-l] — [H('S )1 = 1 - 
Similarly, [a](g(t)) - [a](g(s)) = [[a](t)J - [[a](s)J > [[a](s)-hlj - LH(s)J = 1- 
Thus, by Theorem 1, >1 is a reduction ordering. On the other hand, we have: 

[a](f (f (x))) = [[^(a;)] + + 5 = ['^(a^)] + |> and 

[a](f (g(f (x)))) = [[([“(a:)] + 5 )]] + | = i 

Therefore: 

[a](f (f (x))) - [a](f (g(f (x)))) = ]"a(a;)] + ^ - ([“(a^)] + ^) = ^ 

Then, f (f (x) ) >1 f (g(f (x) ) ) and TZ is terminating. 

The following theorem provides a sufficient condition for ensuring monotonicity 
of >s'. monotonicity of >s in the z-th argument of a function symbol / comes 
when an increment of (at least) S in the z-th argument of /a increases in (at 
least) S the output of the function /a (for each fixed tuple of arguments). 

Theorem 2. Let T he a signature, H C K, to G K, and 6 G M>o- Let 
A = {A,Ta) he an m-hounded T -algebra, f G !F and 1 < z < ar{f). Lf Ja 
is differentiable in its i-th argument and ,xar{f)) ^ then >s is 

monotonic in the i-th argument of f. 

The following example shows the necessity of requiring ,^ar(f)) ^ 

in Theorem 2. 
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Example 6. Consider the following TRS: 
a — c(a) 

Let A = Kq- Consider the 0-bounded ^-algebra {A, {a^, c^}), where a^ = 2 and 
ca{x) = ^x. According to Theorem 1 the ordering >i induced by this algebra is 
well-founded and stable. The order, however, is not monotonic in the argument 
of c: we have [o!](a) = 2 and [a](c(a)) = 1, for all a : A — >■ A, i.e., 

a >1 c(a) 

However, [a](c(c(a))) = i.e., c(a) c(c(a)). Note that = 5^1. 

Regarding the choice of <5 when using Theorems 1 and 2, Example 5 also shows 
that this choice matters: for instance, >i is not compatible with TZ in Example 
5; on the other hand, >a is not monotonic. In this paper we will always use 
(5=1. 

3.1 Polynomial Interpretations 

A monomial in k variables over K is a function E : — >■ R defined by 

E(a;i , . . . ,Xk) = a x\^ • ■ ■ x^‘‘ for some real number a ^ 0 and non-negative inte- 
gers ri, . . . , rfc. The number a is called the coefficient of the monomial; E 
is the degree of the monomial. If ri = r 2 = • • • = = 0, then the monomial is 

called a constant. A polynomial in k variables over R is the sum of finitely many 
monomials in k variables over R. The set of polynomials over a set {a;i, . . . , x„} 
of n distinct variables is denoted by R[xi, . . . , Xn]- 

The use of polynomials in termination proofs is normally restricted to 

1. polynomials P with non-negative integer coefficients (i.e., P € N[xi, . . . , x„], 
see, e.g., [3,11,2,16]) or 

2. polynomials P with real coefficients which are either zero or greater than or 
equal to 1 (i.e., P G Ri[a;i, . . . ,x„], see, e.g., [5,6,14]). 

In the first case, well-foundedness of the induced orderings on terms comes for 
free due to the use of a well-founded domain (N, >n); the use of non-negative in- 
teger coefficients for the polynomials guarantees monotonicity of the ordering ([2, 
Section 5.3], [16, Proposition 10]). Given a polynomial interpretation (N, En, >n), 
the corresponding reduction ordering > is given as follows: for t,s G P{P,X) 
(as usual, we write [/] for the polynomial associated to /), 

t > s ^ Vxi G N, [t] > [s] 

where [x] = x \i x & X and [/(G,... ,tk)] = [/]([G],--- J^fc])- Note that (as 
usual) we write [t] instead of [o:](t) since the variables are interpreted as them- 
selves (ranging on numbers) and a universal quantification is assumed for each 
variable. 

Proposition 1. Let T he a signature and En he a polynomial interpretation 
such that [/] : — >■ N for each k-ary symbol / G E. Let > be the ordering on 

terms induced by (N,1Fn,>n) and >i he the ordering induced by the 0-hounded 
algebra (NjPjq). Then, > = >i. 
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Proposition 1 proves that the orderings induced by the polynomial interpreta- 
tions in the usual sense correspond to the ordering >i induced by the polynomial 
interpretation viewed as a 0-bounded algebra over N. 

In the second case above, monotonicity is still guaranteed by the use of non- 
negative (and > 1) coefficients and well-foundedness is guaranteed (for finite 
signatures) if the polynomials P in Ki[xi, . . . , Xn] additionally have the subterm 
property: P{x \, . . . , Xk) > Xi for all 1 < f < fc (see [5]). 

4 Polynomial Interpretations for Context-Sensitive 
Rewriting 

Termination of CSR is fully captured by the so-called ^-reduction orderings 
[15], i.e., well-founded, stable orderings > which are fi-monotonic, i.e., for all 
f G J- and i G fJ-(f), > is monotonic in the t-th argument of /. Then, a TRS 
TZ = (P, R) is y:i-terminating if and only if there is a /i-reduction ordering > 
which is compatible with the rules of TZ, i.e., for all I ^ r G R, I > r [15, 
Proposition 1]. 

Of course, /i-reduction orderings can also be defined by means of m-bounded 
P-algebras over the reals. Well-foundedness and stability of >a is already ensured 
by Theorem 1. In this sense. Proposition 1 proves that the orderings induced by 
the polynomial interpretations in [8] correspond to the ordering >i induced by 
the polynomial interpretation viewed as a 0-bounded algebra over N. 

Example 7. Consider the following TRS TZ: 

0 - y — >■ 0 0 ^ s(y) — >■ 0 

s(x) - s(y) X - y s(x) ^ s(y) -> if (x>y , s( (x-y)^s (y) ) ,0) 

X > 0 — > true if(true,x,y) — > x 

0 > s(y) — >■ false if (false, x,y) — >■ y 

s(x) > s(y) — >■ X > y 

together with /i(if) = /i(^) = /r(s) = {1} and /r(/) = 0 for any other symbol 

/ [9, Example 49]. The /r-termination of TZ can be proved by using the ordering 

>1 induced by the following polynomial interpretation (N,1 Fn), where Pn is: 

x[-]y = X + 1 [true] = 0 

[0] = 0 [false] = 1 

[s] (a;) = x -|- 3 x[-G]y = x^ + x + 1 

x[^y = X + 2 [if](a:, y,z) =xz + x + y+ l 

Our framework strictly includes [8]. For instance, we show that [8] does not 
suffice for proving /^-termination of TZ in Example 1: Note that the polynomial 
interpretation [:] of ‘ ’ must contain a monomial ax'^y^ with m G N, a, n G Ni; 
otherwise, the rule tl(x:y) — >■ y cannot be oriented. In this case, however, the 
rule zeros 0 : zeros cannot be oriented. This is managed in our framework by 
giving ‘ ’ a polynomial interpretation whose second (non-replacing) parameter 
contributes as half of its value. This permits to deal with recursive calls in right- 
hand sides (as in the rule zeros — >■ 0: zeros) whilst sufficient information is 
still kept to be used in left-hand sides (as in the rule tl(x:y) — >• y). 
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Example 8. Consider the following non-terminating TRS TZ\ 

sel(0,x:y) — >■ x from(x) — >■ x:from(s(x)) 

sel(s(x) ,y:z) — > sel(x,z) 

and n{:) = /i(s) = /i(from) = {1} and /i(sel) = {1,2} [12, Example 5]. This 
TRS can be proved /x-terminating by using the ordering >i induced by the 
1-bounded algebra given by (Qi,1FqJ, where is the following polynomial 
interpretation: 

[0] = 1 [from] (a;) =2a;-|-2 x [:] y = x + 

[s](a:) = 2x [sel](x, j/) = -I- 1 



Note that >i is /x-monotonic: since x,y> 1, by Theorem 2, we have 



9[s] _ 



dx 



= 2 > 1 



9[from] 



dx 



= 2 > 1 



3[sel] 

dx 

3[sel] 

dy 



= 2a;x/ > 1 



= > 1 



^ - 1 
dx ~ ^ 



We finish this section with a last motivating example: 



Example 9. Consider the following TRS TZ borrowing the well-known Toyama’s 
example: 

c — a f(a,b,x) — ^ f(x,x,x) 

c — >■ b 

together with ^(f) = (1, 3}. The following ‘polynomial’ interpretation 
where is: 



[f]{x,y,z) = X + xy ^ + zy ^ + z = [a] = 2 

[c] = 3 [h] = 1 

can be used to formally prove the /x-termination of TZ. The /x-reduction ordering 
>1 induced by this algebra is compatible with the rules of TZ: 

[f (a,b,x)j — [f (x,x,x)j = 2x -I- 4 — (2x -|- 2) = 2 > 1 
[c] - [a] = 3 - 2 = 1 > 1 
[c] - [b] = 3 - 1 = 2 > 1 

Regarding /x- monotonicity of >i, we use Theorem 2: 

® = i + y^>i ^ = i + y^>i 

We can also prove that TZ is simply ^-terminating (see [8, Section 3]): since 
x,y,z > 1, we have 

[f (x,y,z)] - [x] = -b zy~^ +z>l 
[f (x,y,z)j — [z] = X + xy~^ + zy~^ > 1 

When considering /x'(/) = (2, 3}, the proof of (simple) /x'-termination of TZ is 
similar. 
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5 Automatic Proofs of Termination of CSR Using 
Polynomials 

Polynomial interpretations are well-suited to mechanize the proofs of termina- 
tion. A proof of termination of a TRS is transformed into the problem of solving 
a set of constraints over the coefficients of a polynomial interpretation for the 
symbols of the TRS [11]. We are especially interested in proving /x-termination of 
TRSs by using polynomial interpretations. According to Theorems 1 and 2, the 
set of constraints is then obtained by requiring the polynomial interpretations 
to satisfy the following restrictions: for all f G T, 

1. 0-boundedness: [/|(a;i, . . . , Xk) > 0 for all a;i, . . . ,Xk> 0. 

2. /i-monotonicity: ^ g /i(/)- 

3. Compatibility with the rules of the TRS: / >i r for alH — >■ r G i?. 

For practical reasons, we also restrict the polynomials that we consider to have 
rational (although possibly negative) coefficients. Thus, [/] G Q[xi, ... ,Xfc] and 
[/] • Qo for each A:-ary symbol f G T . This limitation (and other limita- 

tions which are introduced below) is motivated by the use of the CzME system 
[4] to solve the set of constraints that we obtain. CzME is only able to solve Dio- 
phantine inequations yielding non-negative integers as solutions. As we will see 
below, the use of rational numbers is easily made compatible with this limitation. 
The choice of 0-bounded polynomial interpretations and that of the ordering >i 
(i.e., m = 0 and i5 = 1 in Theorem 1) is arbitrary. 

The following result imposes some general restrictions on the structure of 
(m-bounded) polynomials containing negative coefficients. 

Proposition 2. Let P G K[a;i,... ,Xk] he m-bounded for some m G K and 
ar^-.-r^xf^ ■ ■ ■ x]f he a monomial in P. If < 0, then, for all i G {1, ... ,k} 

satisfying ri > 0, there is a monomial a^' in P satisfying ...r^ > 
0 and r' > r^. 

Thus, if we want to have a negative coefficient for a monomial which is first 
degree in a given variable Xi, we need to have a monomial of higher degree in 
Xi having a positive coefficient. Otherwise, m-boundedness (which is required in 
Theorem 1) cannot be achieved. 

Of course, the difficulty of the procedure also depends of the complexity of 
the polynomials that we use for this. In the literature, there are two classes of 
polynomials which are well-suited for automatization of termination proofs: lin- 
ear [11] and simple-mixed [14] interpretations. Being the simplest ones, we use 
linear polynomial interpretations to discuss and exemplify how to proceed for au- 
tomatically proving termination of CSR by using (or more precisely generating) 
polynomial interpretations. 

5.1 Using Linear Polynomial Interpretations 

A polynomial P G K[a:i, . . . , Xn] is linear, if P = -|-a„_ia;„_i -I- • — haiXi -I- 

oq. According to the previous discussion, we are going to use polynomial inter- 
pretations (Qo,.Pqo)- Note that, according to Proposition 2, negative coefficients 
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are not allowed in linear polynomial interpretations. Moreover, the independent 
coefficient Oq cannot be negative if 0 for some 1 < t < fc; otherwise, the 
interpretation would not be m-bounded for any m G K. 

The following proposition justifies that, for the purpose of proving termina- 
tion of CSR by using a linear polynomial interpretation inducing an ordering 
>s for some 5 G R> 0 ) we also have to eventually ensure that, for all f G T, 
0 < Oi < 1 whenever i ^ /r(/). 

Proposition 3. Let T be a signature, C M, 5 G R> 0 ; and {A,Ta) he a linear 
polynomial interpretation for T . Then, >s is monotonic in the i-th argument of 
f G J- if and only if Oi > 1, where [/] = auxu + Ok-iXk-i + • • • + a\Xi + ag- 

Hence, following the previous discussion and results we assume that each fc-ary 
symbol f G IF is interpreted as a linear polynomial [/] = atXk + Ok-iXk-i + 

■ ■ ■ + a\Xi + ag where 

1. Oo G N, 

2. Oj G Ni if t G ^(/) and 

3. Oj = — if i ^ m(/)) where Pi G N, G Ni and Pi < Pi. Here, Proposition 3 is 

used to adopt an heuristic: since non-replacing arguments are not restricted 
to be greater than or equal to 1, we permit the use of rational coefficients 
and, in fact, we impose 0 < < 1 to (try to) reduce the search space. Note 

that, in [8], the only possibility would be at = 0. 

The following example shows how these ideas work in practice: we describe how 
to prove the polynomial /r-termination of TZ in Example 1. 

Example 10. Consider TZ and ^ as in Example 1. The symbols of the signature 
are interpreted as linear polynomials: 

[nats] = ag 
[adx](a;) = bix + bg 
[zeros] = Co 

x[:]y = digX + dgiy + dgg 
[0] = eg 

where, according to Proposition 3, we further assume that dio = ^ and dgi = 
^ for natural numbers pig < qig and poi < 9oi- Analogously, for [s] we let 
gi = ^ for natural numbers pi < qi- All other coeficients are natural numbers. 

Now, we use Theorems 1 and 2 to generate a set of constraints over the 
unknown coefficients. First we note that, since CiME solves the indeterminate 
coefficients Ui,bi, . . . ,pi,qi,... in N, the 0-boundedness of each polynomial is 
immediately guaranteed. Regarding /x-monotonicity and compatibility with the 
rules of the TRS, we have the following: 

1. Constraints due to /x-monotonicity. In general, we use Theorem 2; here 
(where linear interpreations are assumed) Proposition 3 can be used instead: 

(c)*a = 

(bja^.TTT (d)2ia = 



hi>l 
I zi > 1 



[incr](x) = fiX + fg 
[s](x) = gix + gg 

[hd](x) = hix + hg 
[tl](x) = iix + ig 
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2. Constraints due to compatibility with rules (use Theorem 1 with >i): 

a) Compatibility with the rule nats — > adx (zeros): 

ao - (bico + bo) >1^ 

Go — biCo — bo > I 

b) Compatibility with the rule zeros 0: zeros: 

Co — dioBo — doiCo — doo > 1 ^ 

QioQoiCo — QoiPioeo — QioPoiCo — (/loQoidoo > Qio9oi 

Note that we have used the definition of dio and doi as rational num- 
bers dio = — and doi = — to transform the first constraint into an 
equivalent one where only the components of the fractions are present. 

c) Compatibility with the rule incr(x:y) s(x) :incr(y): 

fi(diox + doiy + doo) + fo ~ (dwiffix + go) + doi(/i2/ + fo) + c^oo) ^ 1 

In these cases, we collect the coefficients accompanying each variable 
xi, . . . ,Xk to obtain a constraint 

^kXk + ■ • ■ + ^iXi Ao ^ B 

Then, since Xi, . . . , > 0, we express this constraint as 



^fc>0A---AAi>0AAo>B 
For the constraint above, we obtain 



qifipio -piopi > 0 


A 


fipol - Poifi > 0 


A 


gioQoifidoo + gioQoifo — golPiogo — gwPoifo — 


9 io 9 oidoo > 9 io 9 oi 



d) Compatibility with the rule adx (x:y) — ^ incr(x;adx(y)): 

bi{diox + doiy + doo) + bo — {fi{diox + doi{biy + bo) + doo) + fo) > 1 



biPio - fiPio > 0 


A 


biPoi - fiPoibi > 0 


A 


Qoibidoo + qoibo — 


fiPoibo — qoifidoo — qoifo > qoi 



e) Compatibility with the rule hd(x;y) — >■ x: 



hi{diox + doiy + doo) + ho — x >1 ^ 



hipio — qio > 0 


A 


hiPoi > 0 


A 


hidoo + ho > 1 



f) Compatibility with the rule tl(x;y) — >■ y: 



ii{diox + doiy + doo) + io ~ y > ^ ^ 



iiPio > 0 


A 


iiPoi ~ <Zoi ^ 0 


A 


*idoo + * 0^1 
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3. Constraints due to the rational coeficients 



910 > Pw 


(b) 


0 

V 

0 


(c) 


9 i > Pi 



Now, this set of constraints can be solved as a set of Diophantine inequations 
using the CzME system. We (automatically) obtain the solution of this set of 
constraints, thus yielding the following polynomial interpretation^: 

[nats] = 9 [incr](a:) = a:-|-2 x [:] y = 

[adx](a;) = x -I- 6 [s](x) = 0 [tl](x) = 2x -I- 1 

[zeros] = 2 [hd](x) = 2x -|- 1 [0] = 0 

which proves the y:r-termination of TZ. 

We have implemented our technique as part of the tool mu-term, mu-term 
uses CiME as an external tool for solving the Diophantine inequations obtained 
with our technique. The polynomial interpretation in Example 10 can be au- 
tomatically obtained with mu-term. We refer the reader to the WWW site of 
MU-TERM for obtaining further details about it. 

5.2 Simple-Mixed Polynomial Interpretations 

A polynomial P G M[xi, . . . , Xn] is simple-mixed iff all exponents are not greater 
than 1 or n = 1 and P = a 2 x\ Oq [14]. Note that, according to Proposition 2 
and the discussion following it in Section 5.1, simple-mixed polynomials used in 
our interpretations cannot contain negative coefficients. The following example 
shows the use of simple- mixed polynomial interpretations. 

Example 11. Consider the following TRS TZ [15, Example 5]: 
if(true,x,y) — >■ x f (x) — !■ if (x, c , f (true) ) 

if (false, x,y) — >■ y 

together with /x(f) = {1} and /r(if) = {1,2}. Now we first conjecture a simple- 
mixed polynomial interpretation (Qo,.?Xjo) Again, we can use mu-term 

to automatically prove the /x-termination of TZ. We obtain: 

Proof of termination for CS-TRS Ex5_Zan97 : 

[f] (X) = 3.x + 2 

[if] (X1,X2,X3) = XI. X3 + XI + X2 + 1 
[c] = 0 
[true] = 0 
[false] = 1 

Now we prove that linear interpretations do not work in this case. Assume that 
there is a linear interpretation (Qo,.^Qo) some 5 > 0 such that >5 is a 
/x-reduction ordering which is compatible with the rules of TZ. Such an inter- 
pretation includes a polynomial [if](x, y , z) = ax by cz d interpreting if. 



^ We use version 2.0 of the CiME system. 
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where a, 6 > 1 to guarantee that is /r-monotonic for any <5 > 0 (Proposition 
3). Moreover, c > 1; otherwise, compatibility of >5 with the second rule for if 
would be impossible. Also, the interpretation of f would be [f](a;) = mx + n, 
where m > 1 (due to ^(f) = {!}). Then, by Proposition 3, >s would be, in fact, 
monotonic, hence a reduction ordering which is compatible with the rules of TZ. 
However, being TZ non-terminating, no reduction ordering can be compatible 
with the rules of TZ. 

Example 11 also shows that (in contrast to the usual approaches which use Ni 
(or N 2 ) and Mi, see [3,11,14,16]) the use of 0 for interpreting symbols is crucial 
for some applications. This claim is justified by the following proposition. 

Proposition 4. Let T be a signature, A C Mi, <5 G M>o, and {A,TFa) be a 
polynomial interpretation for T . If [/] eontains a monomial a • • • x^ff 

with ri > 1 and a > 1, then, >s is monotonic in the i-th argument of f G TF. 

For instance, without interpreting true as 0, the ^^-termination of TZ in Example 
11 cannot be proved by using the same interpretations for f and if. 

5.3 Polynomials with Negative Coefficients 

The polynomials in the previous sections do not admit negative coefficients in 
any monomial. According to Proposition 2, if we want to use negative coefficients 
in some monomials (as, e.g., in Example 2), we have to consider, at least, the 
following class of polynomials. 

Definition 1 (2-simple-mixed polynomial). A polynomial P G M \x\, ... , 
Xn] is 2- simple-mixed ijf each monomial ar^.-.rkX'i ■ ■ ■ x''^ satisfy either: 

1. ri G {0, 1} for all i € {I, . . ■ , k} or 

2. ri = 2 for some t G {1, . . . , fc} and rj = 0 for all j € {1, ... ,k} — {z}. 

Note that simple-mixed polynomials are also 2-simple mixed. The polynomials 
used in Example 2 are 2-simple mixed. The following result can be used to 
guarantee 0 -boundedness of a quadratic polynomial: 

Proposition 5. Let P{x) = Ax"^ Bx -f C . Then, P{x) > 0 for all x > 0 if 
and only if either 

1. A>0AP>0AC>0or 

2. A>0AP<0A AAC - > 0 . 

Example 12. Consider the following TRS TZ: 

f(x,g(x),y) f(y,y,y) b c 

g(b) — >• c 

together with /i(f) = {3} [9, Example 24]. The ^-termination of TZ can be proved 
by using the ordering >1 induced by: 

[i]i.x,y,z) = x"^ -2xy + y‘^ + z [b] = 1 

[g](x) = a; -b 1 [c] = 0 

In the near future, we plan to furnish mu-term with the ability to automatically 
generate proofs of /r-termination by using polynomials with negative coefficients. 
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6 Conclusions 

We have shown how to obtain stable and well-founded term orderings by us- 
ing a given interpretation of function symbols as real functions, not necessarily 
polynomials (Theorem 1). We have shown how to further obtain (^-(reduction 
orderings, which can be used for proving (/x-)termination of TRSs (Theorem 2). 
This provides a new technique for proving termination of rewriting (Example 5) 
and a basis for proving termination of CSR by means of very general polynomial 
interpretations which can be characterized by: 

1. The use of rational coefficients (as in Examples 3 and 8), 

2. The use of negative coefficients (as in Example 2), and 

3. The use of negative exponents^ (as in Example 9). 

These mechanisms allow us to avoid monotonicity for the non-replacing argu- 
ments of symbols (where this is not necessary). We also stress that the use of 
rational, negative coefficients, and negative exponents (and the lack of mono- 
tonicity in some arguments) disallows the use of most of the standard results for 
guaranteeing well-foundedness of the induced ordering on terms. For instance, in 
contrast to the unrestricted case (see [5]), the /x-subterm property [8, Definition 
2] does not guarantee well-foundedness of a term ordering [8, Example 3]. For- 
tunately, Theorems 1 and 2 provide a good framework for defining ^-reduction 
orderings. 

Regarding their use in proofs of termination of (unrestricted) rewriting, the 
methods presented here can also be helfpul when monotonicity is not a crucial 
requirement for the use of term orderings. This is the case of the dependency 
pairs method, [1] where non-monotonic (but well-founded and stable) orderings 
can be used in proofs of termination as part of a reduction pair (see [7]). 

The framework in [8] can now be seen as a particular case of the new frame- 
work (Proposition 1). Our extended class of polynomial interpretations provides 
quite a powerful tool for proving termination of CSR. For instance, all examples 
of termination of CSR in [9] (the most recent paper on the topic) have been 
proved terminating now by using polynomial interpretations (see Examples 2, 
3, 7, 12, and [8, Example 10]). We have described how to automatically obtain 
our polynomial interpretations. We have implemented our techniques (linear 
and simple-mixed interpretations of Sections 5.1 and 5.2) as part of the tool 
MU-TERM. 

6.1 Future Work 

From a theoretical point of view, the class of reduction orderings >s induced 
by an m-bounded algebra over the reals should be further investigated. The 
exact role of m and 5 has to be clarified. Another interesting question concerns 
completeness of the approach: is every terminating TRS compatible with one 
of such orderings? If not, what are the limitations of the approach? Example 

^ Of course, we should more properly speak about polynomial fractions in this case. 
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5 shows that the technique applies to a non-simply terminating TRS (see [16, 
Proposition 6.3.26(iv)]); thus, what would be the position of these orderings in 
a termination hierarchy possibly extending that of [16, Section 6.3]? 

Regarding the practical use of these orderings, we plan to investigate new 
families of real functions which are well-suited for automatization purposes. We 
will focus on those functions which can also be used to prove termination of 
CSR, by introducing mechanisms for loosing monotonicity in some arguments. 
In particular, in this paper we did not pay any attention to formalize the use of 
polynomial fractions. This could be a first starting point. 

Acknowledgements. I thank Bernhard Gramlich and the anonymous referees 
for their comments and suggestions. 
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Abstract. More than a decade ago, Moller and Tofts published their 
seminal work on relating processes that are annotated with lower time 
bounds, with respect to speed. Their paper has left open many questions 
concerning the semantic theory for their suggested bisimulation-based 
faster-than preorder, the MT-preorder, which have not been addressed 
since. The encountered difficulties concern a general compositionality 
result, a complete axiom system for finite processes, and a convincing 
intuitive justification of the MT-preorder. 

This paper solves these difficulties by developing and employing novel 
tools for reasoning in discrete-time process algebra, in particular a gen- 
eral commutation lemma relating the sequencing of action and clock 
transitions. Most importantly, it is proved that the MT-preorder is fully- 
abstract with respect to a natural amortized preorder that uses a simple 
bookkeeping mechanism for deciding whether one process is faster than 
another. Together these results reveal the intuitive roots of the MT- 
preorder as a faster-than relation, while testifying to its semantic ele- 
gance. This lifts some of the barriers that have so far hampered progress 
in semantic theories for comparing the speed of processes. 



1 Introduction 

Over the past two decades, the field of process algebra [7] has proved successful 
for modeling and reasoning about the communication behavior of concurrent pro- 
cesses. Early process algebras, such as Milner’s CCS [18] and Hoare’s CSP [15], 
have been augmented to capture other important system aspects as well, in- 
cluding timing behavior [6]. Many variants of timed process algebra that employ 
either discrete or continuous notions of time have been proposed, whose seman- 
tic theories are usually based on the well-studied concepts of bisimulation [19], 
failures [22], or testing [14]. 

While several approaches for comparing the efficiency of processes have been 
introduced in the literature [4,21], theories for comparing timed processes with 
respect to speed are seeded very sparsely. The most seminal paper in the lat- 
ter category was published over a decade ago [20]. In this paper, the authors 
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Moller and Tofts argue that a faster-than relation on processes can only ex- 
ist for those process-algebraic settings where the passage of time cannot pre- 
empt behavior, and especially not for settings involving timeout operators. For 
a timeout-less fragment of TCCS [19], Moller and Tofts then introduced a com- 
positional faster-than preorder based on strong bisimulation [18], and discussed 
some of its underlying algebraic laws. Despite the paper’s originality, the work is 
lacking regarding three important aspects. First, the advocated preorder is not 
intuitively justified but appears to be an ad-hoc remedy for a compositionality 
problem. Second, the framework possesses technical weaknesses. For example, 
Moller and Tofts only managed to prove compositionality of their preorder for 
the class of regular processes, and their proposed laws for characterizing their 
preorder are incomplete. Third, no semantic theory that abstracts from internal 
computation, in the sense of observation equivalence [18], is presented in [20]. 

The aim of this paper is to put the faster-than preorder of Moller and Tofts, 
or MT-preorder for short, on solid semantic grounds and to highlight its in- 
tuitive roots, thereby testifying to the elegance of Moller and Tofts’ approach. 
Technically, we add to Milner’s CCS a discrete-time clock prefixing operator 
“a.”, interpreted as lower time hound. Intuitively, process P in a.P is only ac- 
tivated after the ticking of the abstract clock a, i.e., after one time unit. The 
nesting of a-prefixes then allows the specification of arbitrary delays (written 
as prefix (n) with n G N in [20]), which results in a process algebra equivalent 
to the fragment of TCCS studied by Moller and Tofts. We refer to this alge- 
bra as Timed Asynchronous Communicating Systems with lower time hounds, or 
TACS”"^. As our first main result we prove that the MT-preorder is composi- 
tional and fully -ah struct with respect to a natural amortized preorder that uses 
a simple bookkeeping mechanism for deciding whether one process is faster than 
another. The intuition behind this amortized preorder is that the faster process 
must execute each action no later than the slower process does, while both pro- 
cesses must be functionally equivalent in the usual sense of strong bisimulation. 
To obtain this result we also establish some powerful semantic tools for reasoning 
within discrete-time process algebra, in particular a general commutation lemma 
relating the sequencing of action and clock transitions. As our second main re- 
sult we provide a sound and complete axiomatization of the MT-preorder for 
the class of finite processes. This includes the provision of a simple expansion 
law, which Moller and Tofts had claimed could not exist. The twist is that this 
expansion law is only valid for finite processes, but interestingly not for arbitrary 
recursive processes. As our third and final main result we introduce a notion of 
a weak MT-preorder — a task that turns out to be far more challenging than 
in other bisimulation-based process-algebraic settings. 

Our results shed light on the nature of the MT-preorder and overcome the 
technical difficulties experienced by Moller and Tofts, thereby completing, gen- 
eralizing, and strengthening their results and providing groundwork for advanc- 
ing semantic theories that compare processes with respect to speed. This paper 
also complements our previous work on bisimulation-based faster-than relations 
for timed process algebra with upper time hounds [17]. Indeed, several ideas 
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and technical concepts can be carried over from the upper-time-bounds setting 
of [17] to the lower-time-bounds setting presented here. 

Due to lack of space, all proofs had to be omitted; they will be available 
under http://www.informatik.uni-augsburg.de/skripts/techreports/ as technical 
report 2004-1. 

2 Timed Asynchronous Communicating Systems 

Our process algebra TACS'"'^ conservatively extends Milner’s CCS [18] by per- 
mitting the specification of lower time hounds for the execution of actions and 
processes. These will then be used to compare processes with respect to speed. 
Syntactically, TACS'"’’ includes a clock prefixing operator “a.” , taken from Hen- 
nessy and Regan’s TPL [14]. Semantically, it adopts a concept of global, discrete 
time in which processes are lazy and can always let time pass. For example, a.P 
must wait for at least one time unit before it can start executing process P. 

Syntax. The syntax of TACS^^ is identical to the one in [17], where we consid- 
ered a faster-than preorder that relates processes on the basis of upper rather 
than lower time bounds. Formally, let A be a countably infinite set of actions not 
including the distinguished unobservable, internal action r. With every a G A 
we associate a complementary action d. We define A =df {d\a € A} and take A 
to denote the set AU AU {r}. Complementation is lifted to A U A by defining 
d =df Cl. As in CCS [18], an action a communicates with its complement d to 
produce the internal action r. We let a, 6, . . . range over A U A, a,P, . . . over A, 
and represent clock ticks by a. The syntax of TACS'"'^ is defined as follows: 

P ::= 0 I X I a.P I a.P I P + P I P\P \ P\L \ P[f] \ yix.P 

where x is a variable taken from a countably infinite set V of variables, L C 
A\{r} is a restriction set, and f : A ^ Ais a, finite relabeling. A finite relabeling 
satisfies the properties /(r) = r, /(a) = /(a), and [{a | /(a) yf a}[ < oo. The 
set of all terms is abbreviated by V, and we define L =df {a | a G L}. Moreover, 
we use the standard definition for open and closed terms. A variable is called 
guarded in a term if each occurrence of the variable is within the scope of an 
action or clock prefix. Moreover, we require for terms of the form p,x.P that x 
is guarded in P. We refer to closed and guarded terms as processes, with the set 
of all processes written as V, and write = for syntactic equality. 

Semantics. The operational semantics of a TACS^^ term P G P is given by 
a labeled transition system (P,MU{cr}, — >,P), where V is the set of states, 
ALl{a} the alphabet, — CPx (MU{cr}) x P the transition relation, and P the 
start state. Transitions labeled with an action a are called action transitions 
that, like in CCS, are local handshake communications in which two processes 
may synchronize to take a joint state change together. Transitions labeled with 
the clock symbol a are called clock transitions representing a recurrent global 
synchronization that encodes the progress of time. 
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The operational semantics for action and clock transitions can be defined 
via the structural operational rules shown in Tables 1 and 2, resp. As usual, we 
write P P' instead of (P, 7, P') G — for 7 G AU{a}, and say that P may 
engage in 7 and thereafter behave like P'. Sometimes it is also convenient to write 

k 

(i) P for 3P' . P P'j (ii) for k G N consecutive clock transitions, 

with N including 0, and (iii) P — ^ P', where either w = e and P = P', or 

w = jw' for some 7 G A U {a} and w' € {AU {c})*, and 3P. P ^4- P P'. 



Table 1. Operational semantics for TAGS™ (action transitions) 



Act 




Suml 



P ^ P' 

P + Q^P' 



Coml 




Rel 



Sum2 



Com2 



P P' 

P[f] ^ P'[f] 

Q^Q' 

P + Q^Q' 

Q^Q' 

P\Q ^ P\Q' 



„ P P' 

Rec 

gx.P — > P'[gx.P/x\ 

P P' — 

Res adLuL 

P\L-^ P'\L 



Gom3 



P' Q -^Q' 
P\Q P'lQ' 



The action-prefix term a.P may engage in action a and then behave like P. 
It may also idle, i.e., engage in a clock transition to itself, as process 0 does. The 
clock-prefix term a.P can engage in a clock transition to P and ensures that 
there is a delay of at least one time unit before P is activated. The summation 
operator + denotes nondeterministic choice: P + Q may behave like P or Q; 
according to the deterministic nature of time, a clock transition cannot resolve 
choices. The restriction operator \L prohibits the execution of actions in P U L 
and, thus, permits the scoping of actions. P[f] behaves exactly as P with actions 
renamed by the relabeling f. The term P\Q stands for the parallel composition 
of P and Q according to an interleaving semantics with synchronized commu- 
nication on complementary actions, resulting in the internal action r. Again, 
time has to proceed equally on both sides of the operator, i.e., deterministically. 
Finally, ptx. P denotes recursion, it behaves as a distinguished solution to the 
equation x = P. The rules for action transitions are the same as for CCS, with 
the exception of the new clock-prefix operator and the rule for recursion; how- 
ever, the latter is equivalent to the standard CCS rule over guarded terms [5]. 

The operational semantics for TACS'"’’ possesses several important proper- 
ties [14]. Firstly, any process can perform a clock transition due to our adoption 
of a lazy nil-process 0 and a lazy prefix operator. Secondly, the semantics is time- 
deterministic, i.e., progress of time does not resolve choices. Formally, P — > P' 
and P p” implies P' = P", for all P, P', P" G V, which can easily be proved 
via induction on the structure of P. 
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Table 2. Operational semantics for TAGS™ (clock transitions) 



tNil 



tAct 



tPre 



0 0 



a.P a.P 



a.P 



tRec 



tSum 



tCom 



P' 



flX.P P'[fiX.P/x] 

P ^ P' Q ^ Q' 
P + Q^P' + Q' 

P^P' Q^Q' 
P\Q P'\Q' 



tRes 



tRel 



P' 



P\L ^ P'\L 
P ^ P' 



3 The Moller— Tofts Preorder 

This section first recalls the faster-than preorder introduced by Moller and Tofts 
in [20], to which we refer as Moller-Tofts preorder, or MT-preorder for short. As 
the section’s main contribution, we prove the compositionality of this preorder 
for arbitrary processes, which has only been conjectured by Moller and Tofts. 
Indeed, the compositionality proof offered in [20] is restricted to processes that 
do not have any parallel operators inside the scope of a recursion. The key 
for proving compositionality in the general setting is a nontrivial commutation 
lemma that considers what happens when adjacent action and clock transitions 
are transposed. This lemma also plays an important role when obtaining the 
full-abstraction result presented in the next section. 

Definition 1 (MT— preorder [20]). A relation 7?. C P x P is an MT-relation 
if, for all {P, Q) and a G A: 

1. PA^P' implies 3Q', k, P” . Q ^ g', p' p", and (P", Q') G U. 

2. g Q' implies 3P'. P P' and (P', Q') G TZ. 

3. P AL). p' implies 3g'. Q Q' and (P', Q') G TZ. 

4. Q^Q' implies 3P'. P ^ P' and (P', Q') G TZ. 

We write PA^^Q if {P,Q) G TZ for some MT-relation TZ, and call (3^^ the 

MT-preorder. 

Technically, all conditions of this definition, with the exception of the first one, 
are identical to the ones of temporal strong bisimulation (cf., e.g., [8]). Intuitively, 
the weaker first condition states that, if the faster process P can perform an 
action, then the slower process Q must not match this action right away, but can 
perform an arbitrary number k of time steps before doing so. However, delaying 
k time steps may make the resulting process Q' faster than P' . To account for 
this, Moller and Tofts suggest that P' performs k time steps of its own, resulting 
in process P" that should then be faster than Q' . To see the necessity for this, 
consider the processes a.0|cr.6.0 and cy.a.Ola.b.O, for which a sensible faster-than 
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preorder should clearly identify the former process as the faster one. Here, the 
a-transition of the former process to Ojcr.&.O can only be matched by the latter 
process after a delay of one time unit, leading to 0|5.0. However, 0\a.b.0 is not 
faster than 0|6.0, but only if it has delayed a time unit as well. Forcing the faster 
process to match the delay of the slower one immediately seems arbitrary and 
restrictive. Nevertheless, we will show in the next section that this is not the 
case and that there is a very natural explanation for this. 

It is easy to see that indeed a preorder, i.e., it is reflexive and transitive, 

and that it is the largest MT-relation. Moreover, if one studies CCS process 
terms only, i.e., TACS^^ processes not containing any clock prefix operator, then 
two processes are related in the MT-preorder if and only if they are strongly 
bisimular. This is because here all clock transitions are idling transitions, i.e., 
cr-loops; vice versa, every process can idle due to the laziness property. Hence, 
CCS is a sub-calculus of TACS""'. 



Theorem 2 (Precongruence). The MT-preorder is a precongruence for 
all TACS^^ operators. 



The only difficult and non-standard part of the proof concerns compositionality 
regarding parallel composition and is based on the following commutation lemma. 

Lemma 3 (Commutation). Let P, P' G V and w G (M U {cr})*. If P 
P', for kGN, then 3P".P P" and P'^^^P” . 

The commutation lemma states that a delay, i.e., one or more clock transitions, 
after a given sequence of transitions can also be made before this sequence. 
Moreover, the earlier a delay is performed, the slower the resulting process is. 
The proof of this lemma is non-trivial and requires the introduction of a sim- 
ple syntactic faster-than relation on process terms that essentially encodes the 
syntactic implications of our intuition that any term P should be faster than a.P. 



Definition 4. The relation QV xV is defined as the smallest relation satis- 
fying the following properties, for all P, P', Q, Q' G V. 



Always: 
If P' P and Q' >- Q: 

If P' P and X guarded in P: 



(l)P^P (2) 

(3) P'\Q' >- P\Q (4) 

{5)P'\L>-P\L (6) 

(7) P'[px. P/x] >- fxx.P 



P >- a.P 

P' + Q'-^ P + Q 
P'if] P P[f] 



Observe that relation is not transitive and that it is also defined for open 
terms. It is interesting to note that is adopted from [17], where we studied 
bisimulation-based faster-than relations for upper time bounds. 

Important properties are: )^| •pxT’ i® ^m MT-relation, i.e. a syntactically faster 
process is also semantically faster; the process resulting from a clock-transition 
is syntactically and hence semantically faster than the initial process. 
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4 The MT-Preorder Is Fully- Abstract 

While the MT~preorder is algebraically appealing due to its precongruence prop- 
erty, it does not necessarily seem to be a natural choice for defining a faster-than 
relation. As mentioned earlier, Def. 1 requires that differences in delays between 
processes must be accounted for within one step of matching, and hence not 
all the future behaviour of P' in Part 1 is considered. In the following we ex- 
plore an alternative amortized view of faster-than, where the differences can 
be smoothened out over several steps. Technically, we will prove that the MT- 
preorder is fully-abstract with respect to this amortized preorder, which demon- 
strates that the MT-preorder has indeed very intuitive roots. 

Definition 5 (Amortized faster than preorder). A family (T^i)ieN of re- 
lations over P is a family of faster-than relations if, for all i G N, (P,Q) € TZi, 
and a G A: 

1. P P' implies 3Q', k. Q Q' and (P', Q') G TZi+k- 

2. Q Q' implies 3P', k<i. P P' and (P', Q') G TZi-k- 

3. P AL). p' implies 3Q', A:>0. k>l — i, Q Q', and (P', Q') G TZi-i+k- 

4. Q -A). Q' implies 3P', fc>0. k < i + 1, P P', and (P', Q') G TZi+i-k- 

We write P^-Q ii (P, Q) G TZi for some family of faster-than relations (Pi)igN, 
and call the amortized faster-than preorder. 

This definition reflects our intuition that processes that perform delays later 
along execution paths are faster than functionally equivalent ones that perform 
delays earlier; this is because the former processes are executing actions at earlier 
absolute times (as measured from the start of the processes) than the latter 
ones. Def. 5 formalizes this intuition as follows: P AiQ means that Q, or rather 
some predecessor of Q, has already performed i clock transitions that were not 
matched by P; therefore, P has a credit of i clock transitions that it might 
perform later without a match by Q (cf. Part (3) for fc = 0). Any extra delays 
of the slower process when matching an action or clock transition of the faster 
process, increase credit i accordingly (cf. Parts (1) and (3) for A: > 1). Vice versa, 
an action or clock transition of the slower process does not necessarily have to 
be matched directly by the faster one: the latter may delay up to as many clock 
transitions as are allowed by the current credit i (cf. Parts (2) and (4)). 

Processes P =df c.a.a.b.O + c.a.b.O and Q =df c.a.b.O exhibit the difference 
to the MT-preorder. The family of faster-than relations defined by TZq =df 
{(P, Q)}U{(P, P) I P G P}, Pi =df {{a.a.b.O, a. 6.0), {a.b.O, 6.0), (6.0, 6.0), (0, 0)}, 
and TZi =df 0, for t > 1, testifies to P ((Jp Q; note that P a.a.b.O is matched by 
Q ^ > ° > a.b.O. However, we do not have PA^^Q- The step P a.a.b.O could 

^ ^ C. (7 ^ 

only be matched by Q — a.b.O for some /c G N. Since a.a.b.O — a.a.b.O, 
for any k, this would require a.a.b.OA^^a.b.O, which is clearly wrong. 

It can be shown that the amortized faster-than preorder is indeed a preorder 
and that (3.j)iGN is the (componentwise) largest family of faster-than relations. 
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However, there is an important shortcoming: is not preserved under par- 

allel composition. Consider the processes P and Q above, where P^^Q- For 
R =df nx.{a.d.0\a.x), where d is a ‘fresh’ action not occurring in the sorts 
of P and Q, one may show that P \ R \ R. The reason for this is as fol- 
lows. Transition P \ R — ^ a.a.b.O \ R would need to be matched by a sequence 
k (2 

of transitions Q \ R — a. 6.0 | d.O | | d.O | R, for some fc G N and k paral- 

lel components d.O, such that a.a.b.O \ R^^ a. 6.0 | d.O | • • • | d.O | R would hold. 
Now, let the latter process engage in all d-computations of the k components d.O. 
Since d is a fresh action, these can only be matched by unfolding fc-times pro- 
cess R in a.a.b.O \ R and executing k clock transitions and k d-transitions. Thus, 
a.a.b.O I R^q a. 6.0 | R would follow necessarily, i.e., no credit remains. While the 
right-hand process can now engage in the sequence a.b, the left-hand process 
can only match action a, but not also action 6 due to the lack of credit. 

To address this compositionality problem of we refine its definition. 

Definition 6 (Amortized faster than precongruence). A family 
of relations over V is & precongruence family if, for all i G N, (P, Q) G TZi, and 

aG A: 

1. P P' implies 3Q' , k. Q Q' and (P', Q') G TZi+k- 

2. Q AA Q' implies 3P', k < i.P P' and (P', Q') G TZi-k- 

3. P P' implies (a) i > 0 and {P',Q) G TZi-i, or 

(b) i = 0 and 3Q'. Q Q' and (P', Q') G TZi. 

4. Q Q' implies (P, Q') G TZi+i. 

We write PA^Q if (P,Q) G TZi for some precongruence family £^nd 

call the amortized faster-than precongruence. 

One can show that this amortized faster-than precongruence is indeed a preorder 
and that is the (componentwise) largest family of faster-than relations. 

This preorder’s definition is identical to the one of the amortized faster-than 
preorder, with the exception that a delay of the faster process now always results 
in consuming any available credit, while any delay of the slower process results in 
increasing the credit available to the faster one. As a consequence, it is easy to see 
that the amortized faster-than precongruence refines the amortized faster-than 
preorder, i.e., ~q C 

Theorem 7 (Coincidence). The preorders and coincide. 

As a consequence, 5g is not only a preorder but indeed a precongruence, 
since is a precongruence. Note, however, that the relations 5^, for i > 0, 
are not precongruences; for example, a.b.O A^b.O but not a.a.b.O A .^^a.b.O due to 
Def. 6(3). 

Theorem 8 (Full abstraction). The preorder is the largest precongruence 
contained in 

Intuitively, Thms. 7 and 8 show that the MT-preorder rests on a very natural, 
amortized view of the notion of faster-than. Henceforth, we will call ~ ~o 
the strong faster-than precongruence. 
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5 Axiomatizing the Moller— Tofts Preorder 



We give a sound and complete axiomatization of our strong faster-than precon- 
gruence for the class of finite processes, which do not contain any recursion 
operator. This allows one to compare our semantic theory for a calculus with lo- 
wer time bounds, with the one developed for a calculus with upper time bounds 
presented in [17], as well as with the CCS theory of strong bisimulation [18]. 



Table 3. Axiom system for finite processes 
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The axioms for our MT-precongruence are shown in Table 3, where a term 
in square brackets is optional. Moreover, ^ is the indexed version of -I-, and we 
adopt the convention that the sum over the empty index set is identified with 
process 0. Any axiom of the form t = u should be read as two axioms t ^ u 
and M □ t. We write \~t^u if t^u can be derived from the axioms. 

Axioms (A1)-(A4), (D1)-(D4), and (C1)-(C5) are exactly the ones for strong 
bisimulation in CCS [18]. Hence, the semantic theory of our calculus is distin- 
guished from the one for strong bisimulation by the additional Axioms (P3)-(P6) 
and the refined expansion law (E). Further, it is distinguished from the one for 
the faster-than preorder for upper time bounds [17] by leaving out Axioms (PI) 
and (P2) related to enforcing upper time bounds, and by adding Axiom (P6). 
Intuitively, this added axiom states that inserting a delay within a path of a 
process does not alter the speed of the process, as long as there exists a functio- 
nally equivalent path without delay; this shows that our theory concentrates on 
best-case behavior by ignoring the slower summand that has the optional delay. 
Axiom (P6) generalizes to 



(P6’) a.P = a.a^.P + a.P, 
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for any A: G N, by repeated application; here, “cr*.” stands for k nested clock 
prefixes. Axiom (P3) is similar in spirit to Axiom (P6) but cannot be derived 
from the other axioms. Axiom (P4) is a standard axiom in timed process algebras 
and testifies to the fact that time is a deterministic concept and does not resolve 
choices. Finally, Axiom (P5) encodes our elementary intuition of clock prefixes 
and speed within TACS^'^, namely that any process t is faster than process a.t, 
which must delay the execution of t by one clock tick. 

The correctness of our axioms relative to can be established as usual [18]. 
Note that all axioms, with the exception of the Expansion Axiom (E) and 
Axiom (P3), are sound for arbitrary processes, not only for finite ones. It should 
be noted here that the axioms presented in [20] do not completely correspond 
with the MT“preorder, as has also been noted by Moller and Tofts since the 
publication of their paper in 1991 [priv. commun.]. For example, a.a.b.O + a. 6.0 
is as fast as a. 6 . 0 , which does not seem to be derivable from the axioms in [20]. 
In our theory, this example is a simple instantiation of Axiom (P6). 

Moller and Tofts claim in [20] that the “standard” expansion law [18] for 
faster-than relations based on lower time bounds does not hold, even for finite 
processes. While this observation is true for arbitrary processes, it is incorrect 
for finite ones. As a simple example we have a.O j <j.6.0 = a.(0j(j.6.0)+CT.(a.0j6.0), 
contrary to the claims in [20]. 

The proof for the completeness of our axiomatization is based on the following 
notion of normal form. 

Definition 9 (Normal form). A finite process t is in normal form if 

t = ^ ] CXi .ti [ “t“ O'.t fj ] , 
i&I 

where (i) I denotes a finite index set, (ii) G A for all i G I, (iii) all the ti are 
in normal form, and (iv) the subterm in brackets is optional and, if it exists, to- 
is in normal form Pj-Uj [+ a.Ua- ] and G J. ai.ti = Pj-Uj. 

Theorem 10 (Correctness & completeness). For finite processes t and u 
we have: h t □ tt z/ and only ift^^^u. 

6 Example 

This section applies our semantic theory to a simple example dealing with two 
implementations of a two-place storage in terms of two cells and a buffer, re- 
spectively (cf., [18]). For simplifying the presentation we specify recursion via 
recursive process equations in the style of Milner [18], instead of using our re- 
cursion operator. The two-cells system is defined as the parallel composition 

d0f 

of two one-place cells Cq = in.Ci, where C\ = a.out.Co. The two-place buf- 

d©f 

fer Bq is given by the process equations Bq = in.Bi, B\ = a.out.Bo + m.i ?2 and 

^0£ 

i ?2 = cr.out.Bi. As is refiected by the cr-prefixes in front of the owt-prefixes, both 
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cells Cq and the two-place buffer Bq have to delay at least one time unit until 
they can offer a communication on port out. Intuitively, one would expect the 
two cell system to be strictly faster, since if both cells are full, then both data 
items stored may be output after a delay of only one time unit, while the buffer 
requires a delay of at least two time units until it may release the second data 
item. 

As desired, our semantic theory for TACS'"'^ relates Cq \ Cq and Bq. Formally, 
this may be witnessed by the MT-relation given below, in which we employ the 
abbreviations C[ =df out.Co, B[ =df ouI.Bq + in.B 2 , and B '2 =df out.Bi. 

{Co\Co,Bq) (Ci|Co,Bi) (Co|Ci,i?i) {C[\Cq,B[) 

{Cq\C[,B[) (Ci|Ci,B2 ) {C{\Ci,B2) {Ci\C[,B2) 

{C[\C[,B'2) {C[\Cq,B,) {Cq\C[,B,) 

It is easy to check, by referring to Def. I, that this relation is indeed an MT- 
relation, whence Cq \ Cq Bq. Vice versa, Bq Cq | Cq does not hold accor- 
ding to Def. 1, since Cq | Cq can engage in the transition sequence Cq \ Cq ™> ™> 

which cannot be matched by Bq. Thus, the two-cells system is fa- 
ster than the two-place buffer in all contexts, although functionally equivalent, 
which matches our intuition mentioned above. 

Another example, which compares the speeds of different forms of mail deli- 
very and originates in [20], can be adapted from our earlier work on faster-than 
relations for processes with upper time bounds [17]. This adaptation only re- 
quires one to interpret cr-prefixes as lower time bounds instead of upper time 
bounds. The axiomatic reasoning may then proceed as in [17], which only em- 
ploys axioms that are part of the axiom system presented in Sec. 5, too. 

7 Abstracting from Internal Computation 

As usual in process algebra, one wishes to coarsen a semantic theory by abstrac- 
ting from the internal action t, which is supposed to be hidden from an external 
observer. While doing this is usually quite straightforward for CCS-based cal- 
culi [18], it turns out to be highly non-trivial here, which we guess may be the 
reason why it has not been attempted by Moller and Tofts in [20]. 

We start off by defining a weak version of our reference preorder, the amorti- 
zed faster-than preorder, which requires us to introduce the following auxiliary 
notations. For any action a we define a =df e, if a = r, and a =df a, otherwise. 
Further, we let =df — ^ and write P Q, where 7 G A U {a}, if there 
exist R and S such that P R ^4- S =4 Q. We also let stand for =4. 

Definition 11 (Weak amortized faster than preorder). A family 
of relations over P is a family of weak faster-than relations if, for all i G N, 
(P, Q) G Ri, and a G A: 

1. P -4- P' implies 3Q' ,k,k' .Q Q' and {P',Q') G TZi+k+k'- 
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2. Q Q' implies 3P', k, k' . k+k' < i, P P' and 

{P' , Q') G TZi-k-k'- 

3. P P' implies 3Q', A:>0. k > 1—i, Q Q' , and {P' , Q') G 

4. Q Q' implies 3P', fc>0. k < z+1, P P', and {P' , Q') G TZi+i-k- 

We write P^^Q if (P,Q) G TZi for some family of weak faster-than relati- 
ons (Pi)igN, and call the weak amortized faster-than preorder. 

Relation is indeed a preorder; while reflexivity is obvious, establishing transi- 
tivity is simple but nontrivial. The best way of proving transitivity is by showing 
that Rk =df { o I *+J = k}, for k £ N, is a family of weak faster-than 
relations. Moreover, one may check that is the (componentwise) largest 

family of weak faster-than relations. 

Our weakening of the amortized faster-than preorder might appear surprising 

<T ^ 

at first sight, due to the presence of trailing weak action transitions on the 

right-hand side of the definition. As usual for weak bisimilarity, one may have 
a number of internal transitions before and after a matching action transition, 
and to get to these trailing internal transitions one may need to pass further 
clock transitions. 

As in the strong case, it is easy to see that is not a precongruence, even 
not for parallel composition. For reasons we cannot discuss for lack of space, we 
define the following weak variant of the MT-preorder. (Observe the requirements 

A* I Jc ^ 

pi ^ P" in (1) and P ^ P' in (4).) 

Definition 12 (Weak MT— preorder) . A relation P C P x P is a weak MT- 
relation if, for all (P, Q) £ TZ and a £ A: 

1. P AA P' implies 3Q', k, P" , k' . Q Qf p' pn ^ 

(P", Q') £ TZ. 

2. Q AZjf. Q' implies 3P'. P P' and (P', Q') G TZ. 

3. P AL). p' implies 3Q'. Q -A>. Q' and (P', Q') £ TZ. 

4. Q^Q' implies 3P'.P P' and (P', Q') £ TZ. 

We write P if (P, Q) £ TZ for some weak MT-relation TZ, and call ,3^^^ the 
weak MT-preorder. 

Relation 3^^^. is a preorder, but the proof of transitivity is difficult. It is obvious 

from Defs. 1 and 12 that the MT-preorder 3„it ^ weak MT-relation and 

hence included in 3 Further, 3 ^ is included in the weak amortized faster- 

~mt ■ ~mt 

than preorder 3^, since one can prove that TZi =df {{P, Q) \ P 
a family of weak faster-than relations. 

Proposition 13. The weak MT-preorder 3^^ is compositional for all TACS^^ 
operators except summation. 

As expected for a CCS-based process calculus, 3^^^ is not a precongruence for 
summation, but the summation fix used for other bisimulation-based timed pro- 
cess algebras proves adequate for TACS^’^, too. 
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Definition 14 (Weak MT— precongruence) . A relation TZ C'Px'P is a weak 
MT-precongruence relation if, for all (P, Q) € TZ and a € A: 

1. P-^P' implies 3Q',k,P",k'-Q^^^^*' Q', P' P" , and 

P" 

2. Q^Q' implies 3P'.P^ P' and P' Q' . 

3. P P' implies 3Q' . Q Q' and {P', Q') G TZ. 

4. Q^Q' implies 3P'.P P' and {P' , Q') G TZ. 

We write if {P,Q) G TZ for some weak MT-precongruence relation TZ, 

and call the weak MT-precongruence. 

Again, is a preorder and the largest weak MT-precongruence relation. It is 
worth pointing out that the strong faster-than precongruence contained 

in the weak faster-than precongruence which follows by inspecting the 

respective definitions. The recursive definition of the weak MT-precongruence 
employed in (3) and (4) above reflects the fact that clock transitions do not 
resolve choices. 

Theorem 15. is the largest precongruence contained in 

It remains an open question whether the weak MT-precongruence is also the 
largest precongruence contained in the weak amortized faster-than preorder. 
Our attempts of finding a suitable context for proving this full-abstraction result 
have been unsuccessful so far. Nevertheless we believe in the validity of such a 
result and are optimistic to identify a simpler formulation of the weak MT- 
preorder, referring to fewer internal computation steps, from which the desired 
context may be derived. 

8 Related Work 

Although there is a wealth of literature on timed process algebras [6], little 
work has been done in developing theories for relating processes with respect 
to speed. The approaches closest to ours are obviously the one by Moller and 
Tofts regarding processes equipped with lower time bounds [20], and our own 
one regarding processes equipped with upper time bounds [17]. As these have 
been referred to and discussed throughout, we refrain from repetitions here. 

The probably best-known related work focuses on comparing process effi- 
ciency rather than process speed. Arun-Kumar and Hennessy [3,4] have develo- 
ped a bisimulation-based theory for untimed processes that is based on counting 
internal actions, which was later carried over to De Nicola and Hennessy’s testing 
framework [12] by Natarajan and Cleaveland [21]. In these theories, runs of par- 
allel processes are seen to be the interleaved runs of their component processes. 
Consequently, e.g., (r.a.O | r.a.&.O) \ {a} is as efficient as t.t.t.6.0, whereas, in 
our setting, (cr.a.O | a.d.b.O) \ {a} is strictly faster than a.a.r.b.O. 

The sparse work on comparing process speeds largely concentrated on worst- 
case timing behavior on the basis of upper time bounds. Research by Vogler 
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et al. [16,23] originally employed the concurrency-theoretic framework of Petri 
nets and testing semantics; it has only recently been carried over to the process 
algebra PAPAS [11] and is discussed in [17]. Simultaneously, Corradini et al. [10] 
pursued a different idea for relating processes with respect to speed, which is 
known as the ill-timed-but-w ell- caused approach [2,13]. This approach allows 
system components to attach local time stamps to actions. Since actions may 
occur as in an untimed process algebra, local time stamps may decrease within 
a sequence of actions which is exhibited by several processes running in parallel. 
The presence of these “ill-timed” runs makes it difficult to relate the faster-than 
preorder of Corradini et al. to the one of Moller and Tofts; a modified approach 
that restricts attention to “well-timed” behaviour might allow some meaningful 
result. 



9 Conclusions and Future Work 

In previous work [17], the authors investigated bisimulation-based preorders that 
relate the speeds of asynchronous processes relative to given upper time bounds, 
specifying when actions have to be executed at the latest. The present paper 
considered the case of lower time bounds, specifying when actions may be exe- 
cuted at the earliest, by revisiting the seminal approach of Moller and Tofts [20]. 
Although Moller and Tofts’ work was published more than a decade ago and the 
first one to introduce a faster-than relation in timed process algebra, it was never 
followed up in the literature - except for [1] where characteristic formulae are 
provided. One reason for this might be the absence of strong theoretical results, 
including the absence of a compositionality result for arbitrary processes, of a 
full-abstraction result, and of a complete axiomatization for finite processes, as 
well as the bleak picture drawn in [20] for achieving such results elegantly. 

This paper established these nontrivial results by introducing some novel 
process-algebraic techniques, including a commutation lemma between action 
and clock transitions. In particular, we proved a full-abstraction theorem with 
respect to a very intuitive amortized preorder that uses bookkeeping for deciding 
whether one process is faster than another. In addition, an expansion law was 
established for finite processes, which paved the way for a sound and complete 
axiomatization of the Moller-Tofts preorder. This not only testifies to the nature 
of the MT-preorder but also highlights its importance among the sparse related 
work in the field. Last, but not least, a variant of the MT-preorder that abstracts 
from internal, unobservable actions was studied. 

Future work should proceed along three directions. First, we wish to complete 
the theory for our weak MT-precongruence by establishing the conjectured full- 
abstraction result. Second, the developed preorders should be implemented in a 
formal verification tool, such as the Concurrency Workbench NC [9]. Third, we 
intend to integrate our theory for lower time bounds with our earlier work on 
upper time bounds [17], thereby exploring the appropriateness of our faster-than 
approaches for settings with restricted asynchrony. 
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Abstract. In this work we generalize the fundamental notion of recognizability 
from untimed to timed languages. The essence of our definition is the existence of a 
right-morphism from the monoid of timed words into a bounded subset of itself. We 
show that the recognizable languages are exactly those accepted by deterministic 
timed automata and argue that this is, perhaps, the right class of timed languages, 
and that the closure of untimed regular languages under projection is a positive 
accident that cannot be expected to hold beyond the finite-state case. 



1 Introduction 

Let S* be the free monoid generated by a finite set 27. A set (language) L C 27* 
is recognizable if there exists a finite deterministic automaton A = {Q,S,Qoi F) that 
accepts it. The automaton sends words into states via the mapping 6_a : E* ^ Q 
defined as j_ 4 (e) = qo and S_a{w ■ a) = 6{6_A{w),a). A language L is recognizable if 
L = UqeF for some automaton A. 

There are two common ways to express these notions more algebraically. One is to 
speak of a monoid morphism ip from 27* to a finite monoid M satisfying tp(w ■ w') = 
■ (p{w'). The disadvantage of this approach is that the object under study is not 
anymore the “action” of a word w on the initial state, but rather the whole transformation 
it induces on Q. This object is a much less intuitive (and typically exponentially larger) 
than the automaton. An alternative, mentioned briefly in [E74], is to speak of right 
modules and of a module morphism from the free module (27*, 27) to the hnite module 
(g,27). 

For the purpose of this paper we define an equivalent variation on this notion that will 
allow us to extend it easily to timed languages. Our definition is inspired by automaton 
learning theory [G72A87] where every state of the automaton is identified with (one of) 
the first words' that reach it from q^. The standard prefix partial-order on 27* is defined 
asu < u - V for every u,v € 27*. A language is prefix-closed if it includes the prefixes 

* This work was partially supported by a grant from Intel, by the European Com- 
munity Projects IST-2001-35304 AMETIST (Advanced Methods for Timed Systems), 
http://ametist.cs.utwente.nl and by the CNRS project AS 93, Automates, modeles 
distribues et temporises. 

* That is, a word that reaches the state via a cycle-free run. 
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of all its elements. The immediate exterior of a prefix-closed language P is defined as 
ext{P) = P ■ E — P, i.e. the first words that go outside P. 

Definition 1 (Recognizable Langnages). A language L is recognizable if there exists 
a finite prefix-closed subset P C E*, a “ right” -morphism p : E* — >■ P satisfying 

p{w) = ru if w € P p{w ■ w') = p{p{w) ■ w') 
and a subset F Q P such that L = 

weF 

As an example let us look at the deterministic automaton of Figure 1 and one of 
its spanning trees. The prefix-closed set P = {e, b, ba, bb, baa, bbb, bbbb} contains one 
representative for each of the states {go7 • • • , Qy }- The choice of P is not unique and may 
depend on the spanning tree chosen. For example, we could replace ba and baa by bba 
and bbaa as representatives of Q2 and 54, respectively. The morphism from E* to P is 
defined, for elements outside P, via rewriting rules (“relations” in the algebraic jargon) 
that mimic the “non-spanning” transitions in the transition graph. Such a rewriting rule 
is defined for every element in ext{P). In our example the rules are a = e, bba = ba, 
bab = e, bbba = ba, baaa = baab = baa, bbbbb = baa and bbbba = bbbb. These 
rewriting rules can be applied only at the left of a word, that is, the rule bba = a 
corresponds to the family bbaw = aw for every w G E*. 

The recognition of a word by this structure proceeds like reading the word by an 
automaton: a word w is scanned until a prefix u G ext(P) is detected, such that w = uv. 
Than the rewriting rule u = m' is applied, reducing wiow' = u'v with u' = p{u) G P 
and the process is continued with w' until w is reduced to a word in P which is tested 
for membership in F (in our example F = {66}). 



a 




(b) 



a 




(c) 




(d) 



Fig. 1. (a) A deterministic automaton; (b) A spanning tree of the automaton (the solid lines); (c) 
A minimal automaton for the language accepted by the automaton in (a); (d) A spanning tree for 
the minimal automaton. 



For untimed languages this exercise seems nothing more than a fancy formulation of 
acceptance by a finite automaton, yet it emphasizes the fundamental property of finite- 
state systems and languages: the ability to distinguish between a finite number of classes 
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of input histories. Before adapting this notion for timed languages let us recall some 
known facts about minimal automata and the notion of a state in a dynamical system. 

Every L C E* admits a unique canonical antomaton Al (not necessarily finite- 
state) that accepts it. Any other antomaton accepting L can be reduced to Al by an 
automaton homomorphism (merging of states). This antomaton is defined nsing the 
syntactic right-congruence^ relation induced by L on E* 

u ^ V iff Viu uw € L vw G L 

The states of the minimal antomaton for L are the equivalence classes of This is 
the Nerode part of the Myhill-Nerode characterization of regnlar languages as those for 
which ~ has a finite index. A language like o"6" can be proved non-recognizable by 
showing that a" / o’” for every n ^ m and hence ~ has an infinite index and no finite 
set of representatives of its congruence classes exists. 

By choosing proper representatives for each class we can have a set P of minimal size. 
Figure l-(c) shows a minimal automaton for our example. The corresponding algebraic 
object is obtained from the non-minimal one by removing bbbb from P, removing the 
rules bbbbb = baa and bbbba = bbbb and adding the rule bbbb = baa. 



2 Timed Languages 

We consider timed languages as subsets of the time-event monoid T = E* \i) R+, 
the free product (shuffle) of the free monoid (E*,-,e) and the commutative monoid 
(K+,-|-,0). This monoid has been introduced in [ACM02] as an alternative semantic 
domain for timed behaviors, where elements of E indicate events and elements of M+ 
denote passage of time. Elements of T can be written as timed words of the form 

to ■ a\ ■ t\ ■ 02 ■ t2 ■ ■ ■ an ■ tn ( 1 ) 

with ti > 0 and Oi G E U {e} for every i. Such a word indicates passage of to time, 
followed by the occurrence of oi, followed by passage of ti time, etc. The reader may 
find in [ACM02] more precise details, examples and a definition of a canonical form to 
which two equivalent timed words can be reduced. Eor example, a • 0 • a' can be reduced 
to a • a' and t ■ e ■ t' reduces lot -\-t' . The prefix parfial-order relation on T is defined 
as tt A t 6 • z; for any u,v gT. Note that, in particular, w ■ t < w ■ t' whenever t < t' . 

A timed word w of the form (1) can be projected onto E* and K+, respectively, 
via the following two morphisms: The untime function, /x(w) = oi • 02 • • • a„ and the 
duration function \{w) = to + ^1 + ■ ■ ■ + For an untimed word u, |m| indicates its 
logical length (number of letters). These functions are lifted naturally from individual 
words to sets of words. 

It is clear that the notion of finite recognizability is useless for timed languages. It 
suffices to look at the singleton language {5 • a}, consisting of the word where a occurs 
at time 5, and see that it has an uncountable number of Nerode classes as f 7 ^ f' for every 

^ A right-congruence relation of E* is an equivalence relation such that u ~ w implies uw ~ vw 
for every w. 
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t t' where t, t' < 5. We believe that the suitable notion for timed languages is that of 
boundedness (which implies hniteness for discrete systems). Intuitively this means that 
one can distinguish between a finite number of classes of (qualitative) histories and in 
each of these classes it is possible to distinguish between durations taken from a bounded 
set. 

Definition 2 (Bounded Timed Languages). A timed language L CT is bounded if 
is finite and \{L) is bounded in the usual sense o/K+. 

We want to generalize Dehnition 1 to timed languages using a bounded prefix-closed 
subset P of T and a morphism to it. Before giving a formal dehnition let us illustrate 
the idea using the language 



{t ■ a - w : t & [1, 5], w G T} 

consisting of all timed words that have no letters until 1 and an occurrence of a somewhere 
in [1,5]. The set P should contain all the time prehxes t with t G [0,5]. All the words 
of the form t ■ a with t < I are Nerode equivalent (they accept nothing) and can be 
represented by a and the same holds for all t with t > 5. Likewise, the words of the form 
t ■ a with t G [1,5] are equivalent (they accept everything) and hence can be represented 
by 1 • a. So for this language we have 

P = {t [0,5]}U{a}U{l-a}, F={l-a} 

The immediate exterior of P contains all the a-continuations of P which are outside 
P, namely the words t ■ a with t G (0, 1) U (1, 5] as well as a • a and 1 • a • a. The 
immediate exterior via time passage is harder to define due to the density of (K, <). In 
general, given a timed word w, one cannot^ characterize its “first” time continuation. 
One solution would be to take an arbitrarily small positive e and let the exterior of w be 
{w ■ t : t G (0, e)}. We will use the notation w ■ t for that, and denote the corresponding 
elements of ext{P) hy a- t,l- a- 1, and 5 • t. The morphism is defined using the following 
rewriting rules: 



{t ■ a = a : t G [0, 1)} {t ■ a = 1 ■ a : t G [1,5]} 

a ■ a = a ■ t = a l-a-a=l-a-t=l-a 5 ■ t = a 

A discrete-time interpretation of this object appears in Figure 2. As one can see, we 
need a formalism to express parameterized families of words belonging to P and F as 
well as parameterized families of rewriting rules. The choice of this formalism depends 
on the type of dense-time automata whose expressive power we want to match. In this 
work we concentrate on timed automata and before doing so let us give an example of 
a non-recognizable timed language, 

n 

Lbad = T-{a-ti-a-t 2 ---tn-a:nG'H A ^ L = 1}. (2) 

i=l 

^ Perhaps a definition can be given using non-standard analysis with infinitesimals, or by taking 
limits on a sequence of discretizations with decreasing time steps. 
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This language, which can be “accepted” by a non-deterministic timed automaton, was 
introduced by Alur [A90] to demonstrate the non-closure of timed automata under com- 
plementation. It is not hard to see that for every n 

a • ti ■ a ■ • • tn ■ a a ■ ti ■ a • ■ ■ t„ ■ a • tn+i ■ a 

whenever 0 < 1 and hence for any P, /i(P) should contain the infinite 

language {a" : n G N} and P cannot be bounded. 




Fig. 2. An acceptor for a discrete time interpretation of [ 1 , 5] • a • T. Transitions labeled by t indicate 
passage of one time unit. Dashed arrows indicate non-spanning transitions that correspond to the 
rewriting rules. 



3 Timed Automata 

We consider 27-labeled timed automata as acceptors of subsets of T. Timed automata are 
automata operating in the dense time domain. Their state-space is a product of a finite 
set of discrete states (locations) and the clock-space K™, the set of possible valuations 
of a set of clock variables. The behavior of the automaton consists of an alternation 
of time-passage periods where the automaton stays in the same location and the clock 
values grow uniformly, and of instantaneous transitions that can be taken when clock 
values satisfy certain conditions and which may reset some clocks to zero. 

The interaction between clock values and discrete transitions is specified by condi- 
tions on the clock-space which determine what future evolution, either passage of time 
or one or more transitions, is possible at a given part of the state-space. The clocks allow 
the automaton to remember, to a certain extent, some of the quantitative timing informa- 
tion associated with the input word. This ability is bounded due to the finite number of 
clocks and due to the syntactic restrictions on the form of the clock conditions, namely 
comparisons of clock values with a finite number of rational constants. This, combined 
with the monotonicity of clock growth, means that a clock becomes “inactive” after its 
value crosses the value of the maximal constant k and it cannot distinguish in that state 
between time duration of length k and of length k + tfor any positive t. 

Let X = {xi, . . . , Xm} be a set of clock variables. A clock valuation is a function 
X ■. X ^ M_(.. We use 1 to denote the unit vector and 0 for the zero vector 

( 0 ,..., 0 ). 

Definition 3 (Clock and Zone Constraints). A clock constraint is either a single clock 
constraint x d or a clock difference constraint Xi — Xj <C d, where <CG {<,<,= 
, >, >} and d is an integer. A zone constraint is a conjunction of clock constraints. 
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Definition 4 (Timed Automaton). 

A timed automaton is A = X,qq, I, A, F) where Q is a finite set of states 

(locations), X is a finite set of clocks, I is the staying condition ( invariant), assigning to 
every q € Q a zone Iq, and A is a transition relation consisting of elements of the form 
{q,a,4>, p,q') where q and q' are states, a G SU {e:}, p Q X and f ( the transition guard) 
is a rectangular zone constraint. The initial state is qo and the acceptance condition F 
is a finite set of pairs of the from (q, fi) where is a zone constraint. 

A configuration of the automaton is a pair {q, x) consisting of a location and a clock 
valuation. Every subset p F X induces a reset function Resetp on valuations which 
resets to zero all the clocks in p and leaves the other clocks unchanged. A step of the 
automaton is one of the following: 

- A discrete step: {q, x) — ^ (g', x'), for some transition S = (g, a, </>, p, q') G A, such 
that X satisfies and x' = Resetp(x). The label of such a step is a. 

- A time step: (g, x) — ^ (g, x + tl),t G R+ such that x + t'l satisfies Iq for every 
t' < t. The label of a time step is t. 

A run of the automaton starting from the initial configuration (go, 0) is a finite sequence 
of steps 

f: (go,0) ^ (gi,xi) ^ ^ (g„,x„). 

A run is accepting if it ends in a configuration satisfying F. The timed word carried by 
the run is obtained by concatenating the step labels. The timed language accepted by a 
timed automaton A consists of all words carried by accepting runs and is denoted by 

La- 

A timed automaton is deterministic if from every reachable configuration every event 
and “non-event” leads to exactly one configuration. This means that the automaton cannot 
make both a “silent” transition and a time passage in the same configuration. 

Definition 5 (Deterministic Timed Automaton). A deterministic timed automaton is 
an automaton whose guards and staying conditions satisfy: 

1. For every two distinct transitions (g, a, </>i, pi, gi) and (g, a, </> 2 , P 2 , < 12 ), <Pi and 4>2 
have an empty intersection (event determinism). 

2. For every transition (g, e, (j), p, q') G A, the intersection of (p with Iq is, at most, a 
singleton (time determinism). 

In deterministic automata any word is carried by exactly one run. We denote the class 
of timed languages accepted by such automata by DTA. 

Before defining the recognizable timed languages let us present a particular atomic 
type of zones called regions, introduced in [AD94], which play a special role in the 
theory of timed automata. Intuitively a region consists of all clock valuations that are 
not (and will not be) distinguishable by any clock constraint. A region constraint is a 
zone constraint where for every x it contains a constraint of one of the following forms: 
x = d, d<x<d+\o\:K<x and for every pair of clocks — either Xi — xj = d or 
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d < Xi — Xj < (i + 1. The set of all regions over m clocks with a largest constant^ k is 
denoted by G™. 

Regions are the elementary zones from which all other zones can be built. Two clock 
valuations that belong to the same region satisfy the same guards and staying conditions. 
Moreover, by letting time pass from any two such points, the next visited region is the 
same. Finally, any reset of clocks sends all the elements of one region into the same 
region. This motivates the definition [AD94] of the “region automaton”, a hnite-state 
automaton whose state space is Q x G™ and its transition relation is constructed as 
follows. First we introduce a special symbol r which indicates the passage of an under- 
specified amount of time, and connect two regions TZ and TZ' by a r-transition, denoted by 
{q, TZ) — ^ {q, TZ') if time can progress in (g, TZ) and TV is the next region encountered 
while doing so. Secondly, for every transition {q, a, 4>, p, q') and every TZ which satisfies 
(j) we define a transition {q,TZ) — ^ {q' ,TZ') if TZ' is the result of applying Resetp to 
TZ. As an example consider the deterministic automaton and its corresponding region 
automaton appearing on Figure 3. The automaton accepts any word with 3 a’s such that 
the second occurs 1 time after the beginning and the third — 1 time after the first.^ 



4 Recognizable Timed Languages 

Let T„ = {fg, . . . , f„} be an ordered set of non-negative real variables. A contiguous 
sum over T„ is Sj,,k = U ^^d the set of all such sums over T„ is denoted by 5". 
A timed inequality on T„ is a condition of the form Si,,j € J where J is an interval with 
natural endpoints. A timed condition is a conjunction of timed inequalities. 

A timed language L is elementary if p{L) = {m} with u = oi • • • a„ and the set 
{(fg, . . . tn) ■ to ■ Qi ■■■ a„ ■ tn G L} is definable by a timed condition A. We will 
sometime denote elementary languages by a pair {u, A). The immediate exterior ext{L) 
of an elementary language L = {u, A) consists of the following sets: for every a G S, 
ext°'{L) is the set {u ■ a, A°') where = yl U {f„+i = 0}. The immediate exterior via 
time passage is ext*{L) = {u, A') where A* is obtained from A as follows. If A contains 
one or more equality constraints of the form = d, these constraints are replaced 
by constraints of the form d < Sj, „. Otherwise, let j be the smallest number such that a 
constraint of the form Sj, .n d appears in A. This constraint is replaced by Sj,,n = d. 

Definition 6 (Chronometric Subset). A subset P of T is chronometric if it can be 
written as a finite union of disjoint elementary languages. 



There are some simplifications in the description in order to avoid a full exposition of the theory 
of timed automata. In particular, if some clock x > K in some region, we do not care anymore 
about its comparisons with other clocks. This way the region automaton has just one terminal 
state in which all the clocks are larger than k. Readers interested in all the subtle details may 
consult [B03]. 

^ Note that the existence of two transitions leaving q 2 , one labeled with a; = 1 and one with 
X = 1, a, is not considered a violation of determinism. A word 1 • t for an arbitrarily small t 
will take the former and the word 1 • a will take the latter. 
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Fig. 3. A timed automaton with 2 clocks and its region automaton. Solid arrows indicate time 
passage and e transitions while dashed arrows are a transitions. The a-labeled self-loops from all 
regions associated with 54 and 55 are depicted in a StateChart style. The regions are detailed in 
Table 1. 



Definition 7 (Chronometric Relational Morphism). Let P be bounded and prefix- 
closed subset ofl~. A chronometric (relational) morphism (L from T to P is a relation 
definable by a finite set of tuples (u, A, u' , A' , E) such that each (u, A) is an elementary 
language included in ext(P), each (u' , A') is an elementary language contained in P, 
and E is a set of equalities of the form — 'Y^'i=k '>^here n = \u\ and n' = |u'|. 

It is required that all (u, A) are disjoint and their union is equal to ext(P). For every 
w = to ■ ai ■■■ On ■ tn and w' = t'o ■ b\ ■■■ bn' ■ (w, w') € <I> iff there exists a tuple 
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(u, A, u' , A' , E) in the presentation of <l> such that w G {u, A), w' G {u' , A') and the 
respective time values for w and w' satisfy all the equalities in E. The definition of<P 
for words outside ext{P) is done via the identity <P{u ■ v) = ■ v). 

As an example of a component {u, A, u' , A' , E) of a chronometric morphism let 

{u, A) = {to ■ a ■ ti ■ a ,{0 < to < 1,0 < ti < 1,0 < to + ti < 1}), 

(«', yl') = (ro • a • n • a • T 2 , {0 < ro < 1, ri = 0, 0 < r 2 < 1, 0 < ro + ri + r 2 < 1}) 

and 

E = to + ti = ro + ri + T2. 

This component corresponds to the non-spanning transition TZs ■ a = TZn in the region 
automaton of Figure 3. 

The relation is said to be well formed if the following holds for each tuple 
{u, A, u' , A' , E) in T>-. 

- For every w G (u. A), there exists w' G {u' , A') such that {w, w') G d>. 

- For every w' G {u' , A'), there exists w G (u, yl) such that (w, w') G d>. 

A relation is said to be compatible with a chronometric subset F if for every 

{u, A, u', A' , E) in T>, either {u'. A') C F or {u' , A') n F = 0. 

Remark: From a well formed relational chronometric morphism <P one can derive a 
(functional) chronometric morphism p : T P hy letting p{w) be some w' such that 
{w,w') G From the relation described above we can derive functional morphisms 
suchas(^(fo-a-ti-a) = Iq- a- a-ti,or p{to- a-ti- a) = a-a- (fo + ^i)- While functional 
morphisms follow more closely the spirit of classical theory, relational morphisms are 
more suitable for the proofs in this paper. 

Definition 8 (Recognizable Timed Languages). A timed language L is recognizable if 
there is a chronometric prefix-closed set P, a chronometric subset F of P and a chrono- 
metric relational morphism <P : P ^ P compatible with F such that L = u ^ ^(w). 

weF 



4.1 From Deterministic Antomata to Recognizable Langnages 

We are now ready to prove the first result, stating that every language accepted by a DTA is 
recognizable, by assigning timed words to reachable configurations. The correspondence 
between values of clock variables in the automaton and values of time variables in an 
input word oflengthnis done via a clock binding over (X, T„), a function /3 : X — >■ 5” 
associating with every clock x a contiguous sum of the form Sj,,n- Recall that a region is a 
conjunction of single clocks constraints and clock difference constraints. By substituting 
(3{x) for X, the former become timed inequalities and the latter become inequalities on 
Sj..n — Sk..n = Sj,,k and, hence, timed inequalities as well. 

Claim 1 (DTA RFC) From every deterministic timed automaton A one can con- 
struct a chronometric prefix-closed subset P of P and a morphism <P : P ^ P such 
that if{w, w') G then w and w' lead to the same configuration from the initial state. 
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Sketch of Proof: Build the region automaton for A and pick a spanning tree in which 
each region is reached via a simple path. Starting from the root we associate with every 
region an elementary timed language in a prefix-closed manner. More precisely with 
every region 7Z of the automaton we associate the triple (u, A, (3) where (u, A) is an 
elementary timed language with |m| = n and /? is a clock binding on {X,Tn). We 
decompose yl into two sets of timed inequalities yl_ and yl+ where A- consists of the 
“anachronistic” inequalities not involving and 71+ — of “live” constraints involving 
tn- Note that transitions may change the binding and move some inequalities from yl+ 
to t1_. 

For the initial region TZq = (qo,0), u = e, A = A^ is to = 0 and all clocks 
are bound to tg. Consider now the inductive step. Given a region TZ with (u, A, 0) we 
compute (m', t1', f}') for its successor (via a spanning transition) TZ' . There are two cases: 

1 . 7^' is a simple time successor of TZ'. in this case u' = u and /?' = /3. We let yl'_ = yl_ 
and obtain yl^ from the region formula 0' by replacing every clock x by (3{x).^ 

2. TZ' is a transition successor of TZ via an a-labeled^ transition: in this case u' = 
u ■ a ■ t„_|_i, we have a new time variable t„+i and the (T"+^, Jf) binding 0' is 
derived from 0 and from the corresponding transition as follows. If a clock x is not 
reset by the transition then 0'{x) = Si, ,n+i whenever 0{x) = Si,,n- If x is reset 
then 0'{x) = tn+i (note that x = 0 in TZ'). To compute A'_ we add to yl_ the 
substitution of 0{x) for xmip and let yl^ be the substitution of 0'{x) in ip' . 

From this construction it is easy to see that the union of the obtained languages is prefix- 
closed (we proceed by concafenafion and by respecting past timing constraints) and 
chronometric and that all reachable configurations are covered by words. 

Next, we construct the relation ‘T> based on transitions which correspond to back- 
or cross-edges in the spanning tree. Consider a non-spanning transition leading from 
region TZ with characteristic {u,A,0) into region TZ' with characteristic {u',A',0'). 
Let {u" , yl", 0") be the language and binding associated with the successor of TZ ac- 
cording to the previously described procedure. This transition contributes to (p the tuple 
{u" , yl", u' , yl', E). For each clock x which is not reset by the transition, E contains 
the equality 0'{x) = 0"{x). If x is reset by the transition, then E contains the equality 
0'{x) = 0. j 

Table 1 shows the correspondence between the regions of Figure 3 and elementary 
languages. The numbering of the regions is consistent with the chosen spanning tree. 

4.2 From Recognizable Languages to Deterministic Automata 

We will now prove the other direction by building a deterministic timed automaton for a 
given recognizable language. To facilitate the construction we will use an extended form 
of timed automata, proposed in [SV96], where transitions can be labelled by assignments 

® Note that yl+ and yl^ are very similar consisting of almost identical sets of inequalities 
differing from each other only by replacing one or more inequalities of the form Si..n = d by 
d < Si..n < d + 1, etc. 

’ The special case where the transition is not labeled is resolved by introducing a new time 
variable tn.+i such that the word can be written as to ■■■ a„ ■ tn ■ e ■ tn+i . 
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of the form a; := 0 and x := y (clock renaming). As shown in [SV96] such automata 
can he transformed into standard timed automata (see also [BDFPOO]). 

Claim 2 (REC DT A) From every chronometric subset P ofP and a chronometric 

morphism <P : P ^ P one can build a DTA A such that if two timed words lead to the 
same configurations in A then (w,w') G d>. 

Sketch of Proof: The construction of the automaton starts with an untimed automaton 
(with a tree structure) whose set of states is y{P) with e: as the initial state and a 
transition function such that 5{u, a) = u - a whenever u • a is in y{P). We then decorate 
the automaton with staying conditions, transition guards, and resets as follows. With 
every transition we reset a new clock so that for every word to ■ ai ■ ■ ■ an ■ in, the value 
of clock Xi at any state ai • • • aj, i < j is bound to Si,,j. 

For every state u = ai ■ ■ ■ a„ G f{P) let 

A{u) = {(fo, . . . ,tn) ■ to ■ ai ■ ■ ■ On ■ t„ G P}. 

By decomposing A{u) into anachronistic (A_) and live (yl_|_) constraints and substituting 
Xi instead of every Si,,n in A+, we obtain the staying condition for state u. 

For every u and a such that u ■ a is in /i(P) let 

Ptu,a ~ {(^Oi ■ ■ • ; tn) ' to ' a\ ■ ‘ ‘ Qn ‘ tn ‘ a G P'\ • 

Without loss of generality we assume that Flu, a is definbable by a timed condition.* 
Flence every expression Si,,j in it can be replaced by Xj — Xi and the whole condition 
can be transformed into a zone constraint that will serve as the guard of the transition 
between u and u ■ a. This way we have an automaton in which every element of P 
reaches a distinct configuration. 

Consider an element {u ■ a, A, u', A', E) G such that {u • a, A) G exE(P), with 
\u\ = n and |m'| = n' . Such an element introduces into the constructed automaton an 
a-labeled transition from uio u' . For every constraint of the form Sj,,k G J included 
in A, we include in the transition guard the constraint xj — Xk G J. For every equality 
Sj „/ = Sk..n included in E, we add to the reset function the assignment xj := Xk- 
Likewise every {u, A,u' , A' , E) G such the (u, A) C ext*{P) induces a timed 
transition from u to u' with a guard and a reset function similar to the previous case, j 

Corollary 1 (REC=DTA). The recognizable timed languages are those accepted by a 
deterministic timed automaton. 



5 Discussion 

Ever since the introduction of timed automata and the observation that their languages are 
not closed under complementation, researchers were trying to find a well-behaving sub- 
class of languages.® Among the proposals given, we mention the event-clock automata of 

* In general it could be definable by a finite union of timed conditions and we should make several 
transitions from utou- a. 

® The question whether a non-deterministic timed automaton can be determinized is undecidable, 
see [T03]. 
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Table 1. Correspondence between regions in the automaton of Figure 3 and timed words. 
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[AFH99] where for each letter in the alphabet, the automaton can measure only the time 
since its last occurrence. It was shown that these languages admit a deterministic timed 
acceptor. Recognizable timed languages take this idea further by allowing the automaton 
to remember the occurrence times of a finite number of events, not necessarily of distinct 
types. 

The ideas of [AFH99] were developed further in [RS97] and [HRS98], resulting in a 
rich class of timed languages characterized by a decidable logic. While being satisfactory 
from a logical point of view, the automaton characterization of this class is currently 
very complicated, involving cascades of event-recording and event-predicting timed 
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automata. We feel that our more restricted class of recognizable languages captures the 
natural extension of recognizability toward timed languages, namely which classes of 
input histories can be distinguished by a hnite number of states and a finite number of 
bounded clocks. 

Deterministic timed languages have not been studied much in the literature due to 
several reasons. The first is a slight confusion about what deterministic means in this 
context and between acceptors and generators in general. A transition guarded by a “fat” 
condition of the form x G [I, u] is non-deterministic only if it is not labeled by an input 
letter. If it is labeled by an input a the transition is deterministic, reacting differently to 
t ■ a and t' ■ a for t ^ t' . 

Another reason for ignoring deterministic automata is the centrality of the equiva- 
lence between DFA and NDFA in the untimed theory which serves to show that regular 
languages are closed under projection. Recognizable timed languages are indeed not 
closed under projection. The non-recognizable language Tbad (2) can be obtained from 
a recognizable language over {a, &} by projecting away b. Not seeing b, the automaton 
has to “guess” at certain points, whether b has occurred. When this guessing has to be 
done a hnite number of times, the Rabin-Scott subset construction can simulate it by 
a DFA that goes simultaneously to all possible successors. However when these hid- 
den events can occur unboundedly within a hnite interval and their occurrence times 
should be memorized, hnite subset construction is impossible. In this context it is worth 
mentioning the result of [W94] about the determinizability of timed automata under a 
uniform bounded variability assumption and also to point out that for the same reasons 
determinization is always possible under any time discretization. 

The closest work to ours, in the sense of trying to establish a semantic input-output 
dehnition of a state in a timed system, is [SV96], motivated by testing of timed automata. 
In that paper the authors give an algorithm for semantic minimization of timed automata 
and also make useful observations about clock permutations and assignments and about 
the relevance of clocks in various states. Similar observations were made in [DY96] 
where clock activity analysis was used to reduce the dimensionality of the clock space 
in order to save memory during verihcation. 

Another related work is that of [BPT03] which is concerned with data languages, 
languages over an alphabet S x D where D is some inhnite domain. Based on ideas 
developed in [KF94], they propose to recognize such languages using automata aug- 
mented with auxiliary registers that can store a finite number of data elements but not 
perform computations on these values. The results in [BPT03] show that acceptance by 
such automata coincides with their notion of recognizability by a finite monoid. These 
very general results can be specialized to timed languages by interpreting D as absolute 
time and every pair (a,d) G x D as a letter a and a time stamp d. Although the 
special nature of time can be imposed via monotonicity restrictions on the d’s, we feel 
more comfortable with our more “causal” treatment of time as an entity whose elapse 
is consumed by the automaton in the same way input events are. Other investigations of 
the algebraic aspects of timed languages are reported in [DOl]. 



Note that in the untimed theory recognizability implies decidahility but not vice versa, for 
example the emptiness problem for push-down automata is decidable. 
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To summarize, we have defined what we believe to be the appropriate notion of 
recognizability for timed systems and have shown that it coincides with acceptance 
by a deterministic timed automaton. We believe that this is the “right” class of timed 
languages and we have yet to see a useful and realistic timed language which is outside 
this class. Our result also makes timed theory closer to the untimed one and opens the 
way for further algebraic investigations of timed languages. 

Let us conclude with some open problems triggered by this work: 

1 . What happens if contiguous sums are replaced by arbitrary sums or by linear expres- 
sions with positive coefficients? Clearly, the former case corresponds to “stopwatch 
automata” and the latter to some class of hybrid automata and it is interesting to see 
whether such a study can shed more light on problems related to these automata. 

2. Is there a natural restriction of the timed regular expressions of [ACM02] which 
guarantees recognizability? Unfortunately, dropping the renaming operation will 
not suffice because the language L^ad (2) can be expressed without it. 

3. Can our results be used to develop an algorithm for learning timed languages from 
examples and for solving other related problems such as minimization and test 
generation? 

4. Can recognizability be related to the growth of the index of the Nerode congruence 
for a discretization of the language as time granularity decreases? 
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Abstract. A tree can be compressed into a DAG by sharing common 
subtrees. The resulting DAG is at most exponentially smaller than the 
original tree. Consider an attribute grammar that generates trees as out- 
put. It is well known that, given an input tree s, a DAG representation 
of the corresponding output tree can be computed in time linear in the 
size of s. A more powerful way of tree compression is to allow the sharing 
of tree patterns, i.e., internal parts of the tree. The resulting “sharing 
graph” is at most double-exponentially smaller than the original tree. 
Gonsider a macro tree transducer and an input tree s. The main result 
is that a sharing graph representation of the corresponding output tree 
can be computed in time linear in the size of s. A similar result holds for 
macro forest transducers which translate unranked forests, i.e., natural 
representations of XML documents. 



1 Introduction 

Consider a finite, labeled, ranked, and ordered tree. A tree of this type can for 
example be represented by a bracketed expression of the form c{g{a, b, 6), c(o, a)). 
How can such a tree be compressed? Or, what is its smallest representation? 
Certainly, the smallest Turing Machine (or C program) that generates the tree 
is a good answer to the latter question. However, not only is such a representation 
very difficult to obtain, but it is also hard to alter or merely query it (without 
decompressing it first). 

Instead of this general approach to compression we are interested in a repre- 
sentation of trees in which the functionality of the basic tree operations (such as 
the movement on nodes along the edges) are preserved. This type of compression 
is called “data optimization” in [13]. 

In the context of XML there has been some recent work on tree compres- 
sion. XML documents represent trees that are slightly different from the ones 
discussed above. First, they are unranked, i.e., a node in an XML tree can have 
arbitrarily many children, and second, labels are typed (in the sense that there 
are tags for internal nodes, data values for leaves, and the latter can be of various 
primitive types such as integers, strings, etc.). The XMill compression tool [16] 
takes proper care of the type issue by grouping all values of the same type into 
one container. The containers are then compressed using known methods (such 
as gzip for string values). However, XMill is not a data optimization tool: the 
resulting output cannot be queried or processed without prior decompression. 
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Fig. 1. The tree t, its minimal DAG g, and a sharing graph h. 



XML data optimization is considered in [2,10]. There it is shown that (by 
sharing of common subtrees) a minimal DAG representation of a tree can be 
obtained in time linear in the size of the tree. A tree t together with its DAG 
representation g can be seen in Fig. 1. Moreover, they consider the problem of 
evaluating tree queries on DAG representations. Note that in their approach 
only internal nodes of an XML documents are collapsed in the DAG. 

In this paper we consider a tree optimization method that is based on sharing 
graphs (for short, sgraph). The latter were used by Lamping [14] to implement 
optimal reductions of A-calculus (see also [1,12]). Sgraphs can be seen as a gen- 
eralization of DAGs in the following sense: consider a node of a DAG that is 
shared, i.e., with fc > 1 incoming edges. This node can be seen as a special 
“begin sharing” marker because the tree rooted at that node is being shared by 
several other nodes. The sgraph now generalizes this idea by adding a symmet- 
ric “end sharing” marker. Gonsequently, such a marker has one incoming and k 
outgoing edges. Begin and end markers are also called fan-ins and fan-outs (or 
multiplexers and demultiplexers) and are depicted by a triangle pointing down 
(with k incoming edges from above, ordered) and its vertical mirror image, re- 
spectively. An sgraph representation of the tree t is shown in the right of Fig. 1. 
An sgraph is unfolded by following its paths starting at the root node; if, on 
such a path, the zth input of a fan-in is entered then the next fan-out must be 
exited by the tth output. 

Tree compression using DAGs has a maximal compression ratio of 1/ log n 
(achieved, e.g., when representing a full binary tree of height n by a DAG with 
n nodes). Tree compression using sgraphs has a maximal compression ration of 
1/ log log n. It can be achieved by representing a full binary tree of height 2" by 
n pairs of nested fan-in/fan-outs which share a binary node Such an sgraph is 
shown in the right of Fig. 4 (for n = 3). 

The minimal DAG that represents a tree t can be seen as the minimal finite 
state tree automaton that accepts t, or as the minimal regular tree grammar that 
generates t. In this sense the generalization of DAGs to sgraphs just corresponds 
to moving from finite state automata/regular grammars to push-down down 
automata/context-free grammars. In fact, it is not difficult to interpret an sgraph 
as a particular push-down tree automaton, or as a particular context-free tree 
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S ^c{A,B) S ^ B{B{A)) 

A ^ c{a,a) A c(a,a) 

B^d(A,C) B(y)^c(A,d(A,y)) 

C c{A,D) 

D c{A,A) 

Fig. 2. Regular and context-free tree grammars that generate {t}. 

grammar (the latter is discussed in Sect. 4). In Fig. 2 we see grammars for g and 
h of Fig. 1. 

For strings the idea of using context-free grammars to compress is well known. 
In fact, as shown in [15], the famous LZ78 compression is just a particular in- 
stance of compression by context-free grammars. It is shown in [15] that even 
though the problem of finding for a string the minimal context-free grammar is 
NP-complete, there exist quite a number of good approximation algorithms for 
this problem. Context-free grammars which generate exactly one string are also 
known as “straight-line programs”, and in [21] it was proved that deciding their 
equivalence can be done in polynomial time. Thus, the corresponding strings 
need not be decompressed in order to test their equivalence. 

For trees the idea of grammar-based compression seems to be new. Clearly, 
the problem of finding a minimal context-free tree grammar is NP-complete 
(because it can be reduced to the corresponding string problem). Can the ap- 
proximation algorithms discussed in [15] be generalized to trees? Is the equiva- 
lence problem for straight-line context-free tree grammars solvable in polynomial 
time? Both questions are subject of further research and are not addressed in 
this paper. Rather, we consider tree translation formalisms that can be altered 
in order to generate sgraphs. 

In particular we consider the macro tree transducer [8] which is a power- 
ful model of syntax directed translation. It can be obtained by combining the 
top-down tree transducer with the macro grammar. Recently it has been shown 
that (compositions of) macro tree transducers can simulate pebble tree trans- 
ducers [7]. The latter were introduced in [19] and model the “tree translation 
core” of all known XML query and transformation languages (including, e.g., 
XQuery and XSLT). 

Macro tree transducers (mtts) can be simulated by the top-down tree to 
graph transducers of [9]. In fact, the output graphs are DAG representations 
of the corresponding output trees. Now, what happens if we use top-down tree 
to graph transducers in order to generate sgraphs? Our main result is that in 
this way even linear top-down tree to graph transducers can simulate mtts. 
Linearity means that every node of the input tree is processed at most once. As 
consequence we obtain that an sgraph representation of the output tree of an 
mtt can be computed in time linear in the size of the corresponding input tree. 

Previous complexity results about mtts [17] are based on simulations by 
attribute grammars. For the latter it is folklore that a DAG representation of 
the output tree can be computed in time linear in the size of the corresponding 
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input tree. In fact, the involved attribute grammars generate trees by using tree 
concatenation (= “first-order tree substitution”) as only operation. The same 
operation is used in the derivation of a regular tree grammar. This explains 
why DAGs are particularly well suited for representing outputs of such attribute 
grammars (or, attributed tree transducers as they are called). Since macro tree 
transducers can be seen as a generalization of context-free tree grammars, it is 
not surprising that for them sgraphs are well suited to represent their outputs. 
Hence, our result is the generalization of the linear time compatibility from 
attributed tree transducers on DAGs to macro tree transducers on sgraphs. 

Our simulation of mtts by linear top-down tree to sgraph transducers implies 
that every output language of an mtt can be represented as a context-free sgraph 
language. This is in accordance with the fact that output tree languages of 
attributed tree transducers can be represented as context-free DAG languages [4]. 

It should be noted that there is a price to be paid for the fact that sgraphs can 
compress better than DAGs: their unfolding is more difficult. The same holds 
for querying/processing an sgraph because, intuitively, a stack containing the 
history of entered fan-ins has to be maintained at all times. In the last section 
of this paper we address the problem of querying/processing an sgraph and give 
some bounds on the amount of overhead needed. 

2 Trees, DAGs, and Sharing Graphs 

We assume the reader to be familiar with trees, tree automata, and tree trans- 
lations (see, e.g., [11]). A set S together with a mapping rank: A — >• N is called 
a ranked set. For A: > 0, is the set {cr G A | rank((r) = k}\ we also 
write to denote that rank(cr) = k. The set inc(A) consists of all symbols 
cr G A, but now with rank 1 -|- ranki;((T). For a set A, (A, A) is the ranked set 
{(cr, a) I cr G A, a G A} with rank((cr, a)) = rank(cr). The set of all (ordered, 
ranked) trees over A is denoted Tj;. For a tree t, V{t) is the set of nodes of t. 
The size of t is its number |G(t)| of nodes. For a set A, Ts{A) is the set of all 
trees over A U A, where all elements in A have rank zero. We fix the set of input 
variables as X = {xi,X 2 , ■ ■ ■} and the set of parameters as A = {yi, j/ 2 , ■ • ■ 
For k>0,Xk = {xi, ...,Xk} and Yfc = {yi , . . .,?/*}. 

For the representation of DAGs and sharing graphs we use hypergraphs. The 
reader is assumed to be familiar with hypergraphs and hyperedge replacement, 
see, e.g., [3]. For a ranked alphabet F and m > 0, a hypergraph g of rank m over 
r consists of finite sets of nodes and hyperedges. Every hyperedge e of rank k is 
incident with a sequence nod(e) of k nodes (“the nodes of e”) and is labeled by a 
symbol of rank k, i.e., in F^^\ Furthermore, there is a sequence ext of “external 
nodes” which has length m. 

To represent trees, DAGs, and sharing graphs by hypergraphs we use the 
following order on an edge e of rank m > 1: if nod(e) = vi • ■ ■ Vm then vi - ■ ■ Vm-i 
is the sequence of argument nodes of e, denoted ar(d), and Vm is the result node 
of e, denoted res(d). Let g he a hypergraph. A path of g is a sequence u\ - ■ -Un 
of nodes such that there are hyperedges ei, . . . ,e„ with ui = res(ei) and, for 
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every 2 < i < n, Ui = res(ei) and Ui appears in ar(ei_i). If all paths p of g are 
acyclic, i.e., no node appears more than once in p, then 5 is a directed acyclic 
{hyper) graph (DAG). 

Let Z\ be a ranked alphabet and m > 2. Define Fm = 

^(m+i)|^ A hypergraph g over A U Fm is a sharing graph (sgraph) if applying 
the following rewrite rules results in a tree t (recall from the Introduction our 
conventions on how to draw sgraphs). The left rule generates i copies of a symbol 
/ which is shared by a fan-in. In this way the fan-in is moved down (and split 
into n copies, where n is the number of arguments of /). If a fan-in meets a 
corresponding fan-out (right rule), then both are deleted and their inputs and 
outputs are melted together appropriately. The tree t is the unfolding of g, de- 
noted tree(^). Notice that the rewriting system is confluent but not terminating. 




Fig. 3. The rules of the rewriting system that unfolds a sharing graph. 



3 Sharing Graph Implementation of Tree Transducers 

In this section our two main results are proved. First, for every macro tree trans- 
ducer and given an input tree of size n, an sgraph representation of the corre- 
sponding output tree can be computed in time linear in n. The second result is 
about macro forest transducers. There we can only show that an sgraph repre- 
sentation of an output forest can be computed in time exponential in n. However, 
if the macro forest transducer does not copy by means of its input variables Xi, 
then the output sgraph can be computed in time linear in n. Sgraphs generated 
by the above two implementations can contain garbage. Last we discuss how to 
avoid the generation of garbage. 

Macro Tree Transducers are finite state devices that take trees over a ranked 
alphabet as input and produce trees over another ranked alphabet. Here we only 
deal with total deterministic macro tree transducers which realize total functions 
on trees. 

Definition 1. A (total, deterministic) macro tree transducer (mtt) is a tuple 
M = {Q,S,A,qo,R), where Q is a ranked alphabet of states, S and A are 
ranked alphabets of input and output symbols, respectively, qo € is the 
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initial state, and i? is a finite set of rules. For every q € and a € with 
m,k > 0 there is exactly one rule of the form {q, a{xi, . . . , Xk)){yi, ■ • ■ , ym) C 

in R, where C, € T^Q,Xk)uA('Kn); the tree C is denoted by rhsM(g, o')- □ 

The rules of M are used as term rewriting rules in the usual way. The deriva- 
tion relation of M (on T(^q,Ts)ua) is denoted by =^>m and the translation realized 
by M, denoted tm, is the total function {(s, t) £ Ts T/^ \ {qo, s) t}. 

Example 2. We define the mtt Mdexp which translates a monadic tree of height 
n into a full binary tree of height 2”. Let Mjexp = {Q, R) with Q = 

E = and A = The set R consists of the 

following rules. 

{qo,a{xi)) {q,xi){{q,xi){e)) 

(qo,e) -)>cr(e,e) 

{q,a{xi)){yi) {q,xi){{q,xi){yi)) 

{q,e){yi) a{yi,yi) 

Let us take a look at a computation of Af^exp for the input tree s = aaae 
(for better readability we sometimes omit brackets in monadic trees): 

(go, aaae) ^M^exp (?, aae)((g, aae)(e)) 

^Mdexp «e)((g, ae)((g, ae)((g, ae)(e)))) 

^Mdexp o-((g,e)^(e),(g,e)^(e)) 

^Mdexp a-(cr((g, e)®(e), (g, e)®(e)), a((g, e)®(e), (g, e)®(e))) 
^Mdexp fbt^(8) 

where fbt/i(8) denotes a full binary tree over A of height 8. □ 

Instead of computing output trees (which can be double exponentially bigger 
than the input tree, as seen in the example) we now want to generate sgraph 
representations of linear size with respect to the input tree. As computation 
model for sgraphs we use the top-down tree to graph transducer of [9]. 

A macro tree transducer generates an output tree by successively applying its 
term rewrite rules to a sentential form (starting with (go, s)). Due to the presence 
of parameters the application of such a rewrite rule carries out a second-order 
tree substitution. The top-down tree to graph transducer (ttgt) generalizes the 
mtt from tree substitution to hypergraph substitution. It is defined just as an 
mtt, i.e., it consists of ranked alphabets of states, input symbols, and output 
symbols, an initial state go, and a finite set of rewrite rules. For a state g of rank 
TO > 0 and an input symbol a of rank k the ttgt has exactly one rule 

{q,a{xi,...,Xk)) g 

where g is a hypergraph of rank to over {Q, Xk) U A. 

Given an input tree s, the ttgt G generates an output hypergraph by applying 
its rewrite rules, starting with the initial graph go consisting of a single hyperedge 
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e labeled {qo,s) and m distinct nodes incident with e, where m is the rank of 
qo- A rule {q, a{xi, . . . , x^)) — >■ g can be applied to a hypergraph h that contains 
a hyperedge e labeled {q,a{si, . . . , Sk)), where Si,...,Sk are input trees. The 
new hypergraph h' with h h' is obtained from h by removing the edge e 
and gluing in its place the right-hand side g, in which Xi is replaced by Si. The 
gluing is done in such a way that the zth node of e (i.e., the zth node in the 
sequence nod(e)) is identified with the zth external node of g. Since our ttgts are 
total deterministic, there is for every input tree s a unique hypergraph tg(s) = g 
over A derived from the initial hypergraph g^ by We need two restrictions 
on ttgts: If the right-hand side of every rule is linear in the input variables X^. 
then G is linear. Obviously, a linear ttgt translates each node of the input tree 
at most once, i.e., for an input tree s of size n the output tree is obtained from 
(?o by at most n rule applications. If all hypergraphs generated by G are sgraphs 
then G is a top-down tree to sharing graph transducer (ttst). Note that, for a 
ttst G, the function tq o tree is a tree translation (we use nonstandard order for 
composition o). 

Note that since hypergraph replacement is a generalization of second-order 
tree substitution, it is not difficult to simulate any mtt by a ttgt such that every 
output graph is a DAG representation of the corresponding output tree. Param- 
eters are represented by external nodes and parameter copying becomes DAG 
sharing of a node. This was proved in [9]. We now take that construction and 
remove all state copying from the mtt by introducing appropriate fan-in/outs. 
Thus, parameter copying of the mtt becomes DAG sharing of the ttst and state 
copying of the mtt become fan sharing of the ttst. 

Lemma 3. For every mtt M there exists effectively a linear tree to sharing 
graph transducer G such that tq ° tree = tm- 

Proof. Let M = (Q, A, A, go, R) and let <g be a total order on Q. We first fix 
some auxiliary notions. For every a G k> 1, z G [k], and Q' C Q let 

QcrAQ') ■= {g G Q' I (q,Xi) occurs in rhsM(<5, ct)}. 

For m > 0, a tree ^ G and a natural number z define graph(C,z) as 

the hypergraph representation g of C, where the jth parameter yj, j G [to] is 
represented by the {i j — l)th external node of g, and the root node of C, is 
represented by the (z -I- r?z.)th external node of g. Note that a symbol 5 of rank 
k is represented by a hyperedge of rank A: -I- 1 (with a^ument and result nodes, 
see the definition of DAGs in Section 2; for details see, e.g., [6] or [9]). 

The idea of the construction of G is as follows. Gonsider a go-rule of M 
with right-hand side f and let g be the graph representation graph(C, 1). The 
corresponding rule of G is obtained by merging in g all state calls that are on 
the same variable Xi. There might be several different states q\, ... ,qi on Xi, and 
there might be several occurrences of {qj,xf) in g. We remove from g all edges 
labeled Xi and add a new handle labeled Q = {gi, . . . , g;} in G which denotes the 
merging of those states. The rank of Q is the sum of the ranks of gi, . . . , g; (for 
the parameters) plus I (for the root nodes). If there were n > 1 distinct edges 
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labeled {qj, Xi), then we use a fan-in and u fan-outs each of rank v. The input to 
the fan-in are the result nodes of these edges and the output of the fan-in is the 
node incident with the Q-edge that corresponds to the root of Qj. The inputs of 
the fan-outs are the -parameter nodes of the Q-edge and their outputs are the 
argument nodes of the {qj,Xi) labeled nodes. 

Let G = (P, T", inc(Z\), {go}) C^)- The states and rules of G are defined by 
applying the recursive procedure make_rules to the initial state {go}- 

make_r ules ( Q ) { 

Let Q = (gi, . . . , g^j with gi <q q 2 <Q ■ ■ ■ <Q qi and Vj = rankg(gj) for j G [£]. 

Let Q be a state in P of rank m = i + ri + T 2 -\ + ri. 

For every a G k >0 do{ 

Let g be the disjoint union of the graphs 

graph(rhsM(gi, ct), 1), graph(rhsM(g2, cr), 2 -|- ri), graph(rhsM(g3, cr),‘i + ri + 

T2), ■ ■ . ,graph(rhsM(gf,o-),^ -I- ri+r2~\ h 

For every i G [A:] do{ 

Add to g new nodes vi, . . . ,Vm and a new edge e (of rank m) 
labeled {Qa,i{Q)^Xi) with nod(e) = Vi ■ ■ ■ Vm- 

Let Q^4Q) = • • ■ ) 9nl with q[ <q ■ ■ ■ <q q„ and let r' = rankg(g'). 

For j G [n] let Eij be the edges in g that are labeled (pj,Xi). 

For every j G [n] do{ 

Remove all edges in Eij from g. 

Let Ej^ j — {ci ) ■ ■ • ) Ci/} ■ 

Add to g a fan-in of rank v with output node vi+n and 
input nodes res(nod(ei)), res(nod(e 2 )), . . . , res(nod(ej/)). 

For every p G [r'] do{ 

Add to g a fan-out of rank 12 with input node v^, 

for K = j + {r[ + ■ ■ ■ + rj_i) -|- (g — 1) and with output 

nodes ar(nod(ei))[g], ar(nod(e 2 ))[/r], . . . , ar(nod(ei/))[/i]. 

} 

} 

} 

Let the rule {Q, a{xi, . . . , Xk)) — >■ g be in U . 

}} 

Correctness of G can be proved as follows. For an sgraph g of rank m and 
k G [to] let tree(g, k) denote the tree obtained by starting the unfolding at 
the /c-th external node of g. For g G let Mq{s) be the normal form of 

(g, s)(gi, . . . , ym) w.r.t =^>m (and similarly for Gp, p € P). Correctness, namely 
tree(rG(s)) = tm{s) follows from the claim for g = go and Q = {go}. 

Claim: Let s G Ts, Q = {gi, ■ . ■ , qn} G with gi < Q - ■■ <q qn, and 

j G [nj. Then tree(Gg(s), to) = Mq{s). 

Note that in tree(Gg,TO-) the (to — rankg(g) -I- j)th external node of Gg(s) 
is interpreted as pj. This claim can be proved by induction on the structure of 
s. The main point is to show how the application of ‘tree’ distributes through 
a graph that is obtained by hyperedge replacement (hr). Roughly speaking, 
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hr become second-order tree substitution. The proof is similar to the one of 
Lemma 5.3 of [9]. □ 



Example 4- Consider the mtt Mdexp of Example 2. We now apply to it the 
construction presented in the proof of Lemma 3 to obtain a linear ttst G that 
computes for every input tree s an sgraph g such that tree{g) = tm{s). Define 
G = (P, E, inc(Z\), {qo}, U). The only possible state sets are {go} of rank 1 and 
Qa.idgoj) = {<?} of rank 2. Hence P = {{go}^^\ K remains to define 

the rules in U. 

Let us start with the a-rules, and in particular with the ({go}) o)-rule. Let 
g be the graph representation graph(rhsM(gO) a)) 1 ) of the tree rhsM(gO)O) = 
(q,xi){{q,xi){e)). We now enter the part of the construction that is presented 
in pseudo code. Since a is of rank fc = 1 there is only the choice z = 1 in the first 
loop. We now add to g a new edge e labeled (<5a.i({'Zo})) a^i)- The corresponding 
graph is shown on the left of Figure 4. Now Qo,i({<Zo}) = {d}) l'i = 



1 




Fig. 4. The graphs graph(rhsM(gO) «), 1), rhsG({go}) a), and the sgraph Ta{aaae). 



= 1. Thus there is only the choice j = 1 in the second loop. Let E = { 61 , 62 } 
be the edges as in the left of Figure 4. We now add a fan-in of rank 2 with output 
node Wi+rj = ^2 and input nodes res(nod(ei)) = Ui and res(nod( 62 )) = U 2 (see 
the figure). For the final loop the only choice is /i = 1. Then k = 1. Hence, we 
add a fan-out of rank 2 with input node vi and output nodes ar(nod( 6 i)) = U 2 
and ar(nod( 62 )) = U 3 . The final right-hand side g of the ({go}, a)-rule of G is 
shown in the middle of Figure 4. 
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It should be clear how to construct the ({g}, a)-rule of G. Let us consider the 
computation of G for the input tree s = aaae. The resulting sgraph is shown in 
the right of Fig. 4. □ 

It should be intuitively clear how to realize a linear ttst G on a RAM A. 
The input to A is a tree s represented as pointer structure. Then A computes 
the output graph tg(s) (as a pointer structure) by applying the rules of G 
successively. Clearly, the application of a rule I — >■ r can be done in time 0(|r|). 
Since a linear ttst computes the output sgraph for an input tree of size n by 
application of at most n rules, we obtain our first main result. 

Theorem 5. For every mtt M there is effectively a RAM that computes, given 
an input tree s, an output sgraph g with tree(g) = tm{s) in time 0(|s|). 



XML Translations. In an XML document a node (denoted by <tag> and 
</tag>) has arbitrarily many subtrees (viz., the sequence of trees between <tag> 
and </tag>). Hence, an XML document naturally represents an unranked tree 
(seen as a graph with two sorts of edges: child edges and sibling edges). In con- 
trast to that, classical tree language theory is mainly concerned with ranked 
trees. Of course every unranked tree can be represented by a binary tree (ob- 
tained from the unranked tree by simply deleting all child edges to non-first 
children) . 

Several tree transducer models that work directly on unranked trees are more 
powerful than their ranked counterparts. E.g., for the top-down tree transducer 
this was proved in [18]. For the macro tree transducer this was recently proved 
in [20]: their unranked version of mtt, the macro forest transducer (mft), is 
strictly more powerful than mtts on binary encodings. Even though every mft 
can be simulated on binary trees by the composition of two mtts, the complexity 
of type checking is the same for an mft as for just one mtt. Therefore the mft de- 
serves attention. In this section we show how to generate sgraph representations 
of output forests of mfts. 

Let us consider an example of an mft. In fact, it is the transducer Fdexp used 
in [20] to prove that mfts are more powerful than mtts on encodings. For an 
alphabet S the set Ts of (unranked) forests over E is defined by the context- 
free grammar with productions 

F I FF 

T ^ E I a{F) aG S 

The mft is the natural generalization of the mtt to the forest defined above: a 
rule is of the form {q, <j{xi)x 2 ){yi , . • . , j/m) f where / is a forest over E U 
plus elements of {Q,X 2 ) which occur ranked. The mft Fdexp has E = {a} and 
Z\ = {6} as input and output alphabets, respectively, and the following two rules. 



{q,a{xi)x2){yi) -G {q,X2){{q,X2){yi)) 
(9.-L)(j/i) -^ym 
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It starts computing with (q,s){b) and translates the input forest s of width n 
(i.e, consisting of n concatenated trees) into the forest /„ consisting of the con- 
catenation of 2^ trees b. Using the usual encoding of forests by binary trees, the 
corresponding ranked translation has double exponential height increase (take 
the forest s„ = a” as input) and therefore cannot be realized by any mtt. 

If we try to construct a linear top-down tree to sgraph transducer for F^exp 
following the construction of Lemma 3 then we get a wrong ttst which generates 
the concatenation of only 2"+^ trees b. The reason is that the copying by con- 
catenation present in the second rule (with rhs yy) cannot be realized by DAG 
sharing. In fact, it is easy to see that no linear ttst can generate sgraph repre- 
sentations of fn, taking s„ as input. This is because sgraphs for linear structures 
(like strings or monadic trees) have a compression rate of at most 1 / log n. 

Now let us try to simulate an mft by a non linear ttst. Instead of sharing 
states on the same input variable xi (as in the construction of Lemma 3) we 
now simply take the state copying of the mft over into the rules of the ttst. In 
order to realize the copying of parameters we use fan-in/outs. A state now has 
two tentacles for each parameter (thus it has 2m argument nodes if there are 
m parameters). In a computation they will be incident with the begin and end 
nodes of the string of trees of the actual parameter forest. Similarly, every state 
has two result nodes which correspond to the begin and end nodes of the forest it 
will compute. If we apply this construction to the mft Tdexp then we obtain the 
ttst Gdexp which has the two rules depicted in Fig. 5. Obviously, if the original 
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Fig. 5. The rules of the ttst Gdexp- 

mft F is linear in the input variables, then so is the resulting ttst G. We obtain 
the following lemma. 

Lemma 6. For every mft F there exists effectively a top-down tree to sgraph 
transducer G such that tq ° tree = tf- If F is A-linear then G is linear. 

Consider an mft F that is linear in the parameters. Maybe a construction 
similar to the one of Lemma 3 can be used to show that there is linear ttst that 
computes corresponding sgraphs. But this remains to be proved. 

Instead, let us try to find a more liberal condition on the input variables. It 
turns out that the linearity condition can be weakened into the “finite copying” 
restriction, without changing the corresponding class of translations. An mft is 
finite copying in the input if there is a c > 0 such that the number of states that 
translate a certain node of the input tree is bounded by c. 
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Theorem 7. For every macro forest transducer M there is effectively a RAM 
that computes, given an input tree s, an output sgraph g with tree{g) = tm{s) 
in time 0(2l®l). If M is finite copying in the input, then g is computed in time 
0(|s|). 

Proof, (sketch) For the general case the result follows from Lemma 6. Assume 
now that M is finite copying in the input. We can decompose M into a finite 
copying top-down forest transducer T followed by an mft M' that is linear in 
the input variables. The idea is the one of Theorem 4.8 of [8]: every mtt can be 
decomposed into a top-down tree transducer followed by a so called “YIELD” 
mapping (it interprets its input symbols as substitution operations and in this 
way realizes the second-order tree substitution inherent in an mtt). In fact, for 
mtts that are linear in the parameters this was shown in Lemma 2 of [6]. Its 
generalization to nonlinear parameters and to forests should be straightforward. 
Finite copying top-down forest transducers are obviously of linear size increase. 
Since every mft can be simulated by the composition of two mtts by Theorem 9 
of [20] tt{s) can be computed in time linear in £ = jsj -|- |t 7 ’(s)| by Theorem 15 
of [17]. By Lemma 6 and the fact that M' is linear, = tm{s) can be 

computed in time linear in i. □ 

Removal of Garbage. Consider a ttst G. For an input tree s the output tg{s) 
is an sgraph with one external node v. The tree represented by tg(s) is obtained 
by unfolding the sgraph rooted at the node v. However, tg{s) might contain 
subgraphs that are not at all connected to the sgraph rooted at v. Such parts of 
tg{s) are called garbage. But in an sgraph there can be even more garbage: nested 
pairs of fan-ins/outs (as in the right of Fig. 4) might share nothing whatsoever, 
i.e., the innermost fan-in is directly connected to the innermost fan-out. 

If we consider the translation of Lemma 3 then these forms of garbage will 
be generated when if the underlying mtt (1) deletes a parameter, i.e., if yj does 
not occur in the right-hand side of a state (of rank > j) or when it (2) erases 
a state, i.e., if a state of rank one has a rule with right-hand side y\. Thus, if 
an mtt is nondeleting in the parameters and nonerasing in the states, then the 
corresponding ttst will not generate garbage. It was proved in Lemma 7.11 of [5] 
that for every mtt there is an equivalent mtt (with regular look-ahead) that is 
nondeleting and nonerasing. Thus we obtain the following lemma. 

Lemma 8. For every mtt M there is a linear garbage-free ttst G such that 
tq o tree = tm. 

It is probable (but remains to be proved) that a similar result holds for mfts 
(with “linear garbage-free” replaced by “garbage-free”). 

4 Exploring Sharing Graphs 

Sgraphs can be used as compressed representations of trees. In the previous 
section it was shown how to generate sgraphs by means of tree to graph trans- 
ducers. But once we have computed an sgraph, what can we do with it (other 
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than decompressing)? In the Introduction we have claimed that the basic tree 
operations are preserved when moving from a tree to a compressed sgraph. In 
this section we want to make this claim more precise by showing that any algo- 
rithm that reads the tree (by moving along its edges) can also be realized on the 
sgraph with a slow down that is (per move) linear in the size of the sgraph. In 
order to do this we first show that any sgraph can be represented by a particular 
context-free tree grammar (in the sense that they represent the same tree). 

In a context-free tree grammar the set N of nonterminals is ranked and a 
production is of the form A{yi, . . . , ijm) — >■ t where A G m > 0, and t is 

a tree over N and the terminal ranked alphabet A. The grammar is simple it is 
linear, nondeleting, and nonerasing, i.e., if each parameter pj occurs exactly in 
t and t yf j/i. In a straight-line grammar the set of productions can be written 
as — >■ ri, . . . , An — >■ r„ such that all Ai are pairwise different and nontermi- 

nals Aj occurring in rt have j > i. We now illustrate how an sgraph g can be 
transformed into a straight-line simple context-free tree grammar G. 

The scope of a fan-in / in g is the sharing subgraph of g rooted at the output 
of / and ending at leaves or fan-outs matching /. For an sgraph g we introduce 
a non-terminal A and the production A ^ t where the tree t is obtained as 
follows. Starting at the root of g we copy the tree top-down until a fan-in edge 
e is encountered (the same for DAG copying). We introduce a new nonterminal 
e of rank m, where m is the number of matching fan-outs for e. At the t-th 
input to e we stop copying and add the subtree e{ti, . . . ,tm) to t, where tj is 
generated by applying the copy procedure to the i-th output node of the j-th 
fan-out of e. If e is encountered again no new non-terminal is introduced. After 
t has been generated we apply the same procedure to the new non-terminals 
ei, . . . , Cfc (one for each fan-in) and their respective scopes; then, when the j-th 
matching fan-out (thus, they should be ordered) is encountered, the parameter 
i/j is generated. As the reader may verify, application of this procedure to the 
sgraph of Fig. 1 (where we assume that the lower shared c-node has implicitly 
a fan-in with no fan-outs) produces (up to renaming) precisely the context-free 
tree grammar shown in Fig. 2. 

Given a straight-line simple cf tree grammar G (that generates {t}) we now 
show how to simulate the movement through the nodes of t. This is done without 
unfolding the tree, but by using a stack the size of which is bounded by the size 
of G. Let Ai, An be the nonterminals of G, ti, ... ,tn their respective right- 
hand sides and A\ the initial nonterminal. We will consider nested derivations of 
G in order to simulate the navigation through the nodes of t. This means that 
every nonterminal to which a production is applied (except Ai) was introduced 
by the previous production. By definition the length of such a derivation is at 
most n. If ii, . . . ,im are the indices of the productions in such a derivation then 
ii < ■ ■ ■ < im and m < Zm — -I- 1 < n. 

Nested derivations have the useful property that they can be represented 
in a compact way by storing the indices of the applied productions and, for 
each right-hand side, a pointer to the non-terminal that will be replaced in the 
following step. To this purpose we use pointed productions, i.e. productions where 
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we have selected one node in the right-hand side. We denote pointed productions 
as pairs p = {j,u), where j is the index of the production and u is the path to 
a node in its right-hand side. A stack a = [(ji, w-i) . . . (jrm Um)] is a sequence of 
pointed productions where ji = 1, each pointer ui {1 < I < m) refers to a node 
in the right-hand side of the A j, -production labeled and the last (top) 

pointer Um refers to a terminal node. It is clear that such a stack corresponds 
to a sentential form with one selected terminal node, and therefore it identifies 
a unique node of the tree t. The empty stack [] has no node corresponding to it 
and will be interpreted as “find the root node”. We implement the operations 
dowrii and up as operations on stacks. 

For a stack a we implement the operation downi((j), z G N as follows. If cr 
is the empty stack then we look for the shortest left-most derivation that starts 
from the initial symbol Ai and produces a sentential form with the root labeled 
by a non-terminal. Notice that the number of steps required and the size of the 
stack are bounded by n. If cr = [(ji, Ui) • . . {jm, Um)] is not empty we move the 
pointer Um to the z-th son of the selected node. Now, we have three possibilities: 

(1) If the new pointed node has a terminal label we are finished. 

(2) If the new pointed node has a non-terminal label Aj^^^ we extend the stack 

by performing a left-most derivation starting from and ending with 

a sentential form that has a terminal node at the root. The resulting stack 
represents also a nested derivation, therefore the size of the stack and the 
cost of the dowUi operation are bounded by n. 

(3) If the new pointed node is a parameter, then we must backtrack (pop) in 
order to find an earlier right-hand side in which the parameter is instantiated. 
We may need several backtracking steps, since a variable can always be 
replaced by another variable. The backtracking stops eventually because the 
initial symbol contains no variables. Now we proceed as in (2). 

Given a stack cr, we implement up in the following way. If ct = £, then there 
is nothing to be done. Otherwise, we need to find a position in a right-hand 
side where the parent node of the current node is a terminal symbol. We first 
backtrack, trying to find a {j, u) with u ^ e. If we end up with the empty stack 
then we are finished (because the current node was the root). Otherwise let 
u = u'i with z G N and change u into u' . If u' is terminal then we are finished. 
Otherwise we rewrite the nonterminal at u', extend the stack appropriately, 
and position the pointer in the right-hand side on the father u" of the unique 
occurrence of z/j. Note that u" exists because G is simple. We repeat this rewrite 
procedure until we obtain a terminal node u" . 

The above construction has shown how to simulate on a simple context-free 
tree grammar G the tree operations down^ and up in time bounded by the size 
of G. 
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Abstract. Several types of term rewriting systems can be distinguished 
by the way their rules overlap. In particular, we define the classes of 
prefix, suffix, bottom-up and top-down systems, which generalize similar 
classes on words. Our aim is to study the derivation relation of such sys- 
tems (i.e. the reflexive and transitive closure of their rewriting relation) 
and, if possible, to provide a finite mechanism characterizing it. Using a 
notion of rational relations based on finite graph grammars, we show that 
the derivation of any bottom-up, top-down or suffix systems is rational, 
while it can be non recursive for prefix systems. 



1 Introduction 

Word rewriting systems are among the most general formalisms found in com- 
puter science to model word transformations. They generalize grammars, can 
represent the runs of finite automata, transducers, pushdown automata or even 
Turing machines. They can thus be considered as a unifying framework to com- 
pare all these heterogeneous formalisms. For instance, [6] proposes a homoge- 
neous presentation of several well-known families of infinite graphs, using an 
approach based on word rewriting systems proposed in [4], which is to consider 
the ‘Cayley graph’ of a rewriting system. In another paper [5], a classification of 
word rewriting systems according to the way their rules overlap is established. 
It is proved that the derivation relations of four classes of systems are rational, 
which means that they can be generated by finite transducers. These systems 
called left, right, prefix and suffix, were later used in [6]. Any other class is shown 
to contain at least one system whose derivation is not rational. 

The aim of this work is to extend these results from words to terms. To 
summarize, we will be interested in term rewriting systems whose derivation 
can be characterized by a finite mechanism. First of all, we have to specify 
which definition of rationality for relations on terms we intend to use, as several 
distinct notions already exist (see [13] for an overview). Unfortunately, none 
of them is as widely adopted as the standard one for words, as each relies on 
different characteristics of the word case, and serves a different purpose. In this 
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(contract No. IST-1999-29082). 



I. Walukiewicz (Ed.): FOSSACS 2004, LNCS 2987, pp. 378-392, 2004. 
© Springer- Verlag Berlin Heidelberg 2004 




On Term Rewriting Systems Having a Rational Derivation 379 



paper, we will adopt a notion introduced in [14], which makes use of hyperedge 
replacement graph grammars. The reason for this choice is the close similarity 
between the way these grammars work, and the asynchronous mechanism of a 
word transducer. Then we extend the definitions of left, right, prefix and suffix 
systems to terms, yielding what we will call bottom-up, top-down, prefix and 
suffix systems, and investigate the rationality of their derivation relations. We 
also mention recognizability preservation properties for bottom-up, top-down 
and suffix systems. 

Numerous works deal with term rewriting systems. Among the closest to our 
approach, we can mention for instance [10] and [15], which specifically investi- 
gate the recognizability preservation properties of term rewriting systems. Both 
papers study classes of systems which properly include the class of top-down 
systems, and prove that they preserve recognizability. However, the derivation 
relations of these systems are not rational (more generally, no finite representa- 
tion of these relations is given). On the contrary, Dauchet and Tison extensively 
studied ground term rewriting systems, i.e. systems whose rules do not contain 
variables [8] . In particular, they proved that these systems have a decidable first 
order theory with reachability [9] by explicitely building their derivation relation. 
From another point of view, [12] and [7] investigated the geometric properties 
of transition graphs of ground systems and compared this family of graphs with 
respect to other well-known families. Note that by definition, ground systems are 
a special kind of suffix systems. Finally, we can mention the theme of symbolic 
model-checking, whose main idea is to represent regular sets of configurations by 
finite word automata and system transitions by rewrite rules or transducers (see 
for example [2]). This field is currently being extended to systems with richer 
topologies, like trees [1,3]. A central problem relevant to this method is to com- 
pute the set of configurations reachable in any number of steps when starting 
from a regular set of configurations (for instance a recognizable term language) . 

This paper is organized as follows: after recalling a few basic notions about 
trees, terms and recognizable languages, we present the notion of rationality for 
term relations introduced in [14]. In Section 4 we introduce term rewriting sys- 
tems, and detail the four subclasses we consider. The last two parts present our 
results concerning the rationality of the derivations of top-down, bottom-up and 
suffix systems, as well as remarks concerning their preservation of recognizability. 



2 Terms and Trees 

Let F = lJ„>o F„ be a finite ranked alphabet, each Fn being a set of function 
symbols of arity n (elements of Fq are constants), and A be a finite set of 
variable symbols. The set T{F,X) of finite first-order terms on F with variables 
in X is the smallest set including X and satisfying f G F^ A ti,... G 
T{F,X) fti . . .tn G T{F,X). The set T(F, A)+ of tuples of terms will 
be called the set of term words. A term word t = (ti, . . . ,t„) is usually noted 
ti . . . tn, and t{i) is used to denote U. The dimension of t is called its length and 
noted jtj (here jtj = n). Term words containing no variable are called ground. 
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The set of ground terms is noted T{F,%) or simply T{F). The set of variables 
actually occurring in a term or term word t is Var(t), and t is said linear if 
each of its variables occurs only once. If moreover t has n variables, it is called 
a n-context. The variables of a n-context are conventionally noted Dij-.-Dn. 
The set of n-contexts is denoted by Cn{F), the set of all contexts by C{F). A 
common operation on terms is substitution. A substitution is fully defined by a 
mapping from X to T{F, X), and extended to a morphism as follows: we note ta 
the application of a substitution cr to a term word t, which is done by replacing 
every occurrence of each variable x occurring in t by the term a{x). The set of 
substitutions over F and X is noted S{F, X). For any term word s = si . . . s„ 
and when t is a n-context, we use t[s] as a shorthand notation for the variable 
substitution Si | z G All these notations are extended to sets of 

term words in the usual way. A term, term word, context or substitution is said 
to be proper or non-trivial if it contains at least one symbol in F . 

Let N be the set of strictly positive integers, we call position any word in 
the set N*. Every term t in T{F,X) can be represented as a finite ordered tree 
whose nodes are labeled by symbols in F or variables in Al, or equivalently as a 
mapping from a prefix-closed set of positions Pos{t), called the domain of the 
term, to the set F U X. Let t = f{ti, ... ,tn,. ■ ■) be a term represented by an 
ordered tree, position e: denotes the root of t, and for n G N, p G N*, position np 
denotes the node at position p in subtree Seeing terms as trees, term words 
can be seen as ordered forests. In the following, we will use the prefix partial 
order on positions, noted let p and q be two positions, p ^ g if there is some 
q' G N* such that p = qq' . If furthermore q' yf e, we write p > q. We denote 
by pos{x,f) the set of positions at which the variable x G X occurs in term 
t€T{F,X). 

The most common acceptors for languages of trees (and thus terms) are 
finite tree automata. Among several variants, we will only consider top-down 
tree automata, defined by a finite set Q of control states and a finite set R 
of transition rules of the form qf — >■ fqi . . . where f € F^ {n can be 0) 
and q,qi,. . .qn G Q. A configuration is an embedding of control states in the 
input tree, i.e. a tree from T{F U Q,X), where each <7 G Q is considered a 
unary function symbol. A rule qf — >■ fqi . . .qn can be applied in configuration 
Cl to reach configuration C2 if ci = t[qfti .. .t„] and C2 = t[fqiti . . . for 
any context t and term word ti . . . A run of the automaton is a sequence of 
applications of rules on a given input. A ground term t G T{F, X) is accepted or 
recognized if there is a run from configuration q^t (where go is an initial control 
state) to configuration t. The set of terms accepted by a tree automaton A is 
called the language of A and noted L(A). The languages accepted by finite tree 
automata are called recognizable. 

3 Rational Tree Relations 

Several authors have tried to define suitable notions of binary relations over 
terms generalizing known families of relations over words, like for instance the 
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recognizable relations, or the more general rational relations (i.e. relations recog- 
nized by finite transducers) . As of now, no extension to terms is really considered 
canonical, as each family of relations has its own merits and drawbacks. Several 
distinct families can be encountered: recognizable relations as such, relations 
defined as rational languages over some overlap coding of both projections of 
the relation, relations induced by various types of tree transducers, or the more 
specific class of ground tree transductions, to cite but a few (see [13] for a survey). 

In [14], a notion of rationality for tuples of trees according to the union, 
substitution and iterated substitution operations is proposed. This notion can 
also be seen as a definition for binary rational relations over tuples of trees, and 
thus as a special case, binary relations over trees. Similarly to the word case, 
this class is strictly more general than the class of recognizable relations. In his 
paper, Raoult proves that the rational languages of tuples can be generated using 
a special kind of hyperedge replacement grammars. This definition is justified by 
its similarity to rational word relations on several aspects: first, as it should be, 
it coincides with rational word relations when restricted to trees of degree one. 
Second, it is closed under projection on any number of components, union and 
intersection. Finally, its mechanism is indeed quite close to the way a transducer 
works. However, this generality has a cost, and this class of relations is not closed 
under composition. 

First, we need to define the product operation we shall use to define rational 
sets, which is an extension of the usual substitution operation. Let t be a term 
word, X a word of n variables having fc > 0 instances xi . . . Xfc in t (i.e. a total 
of n * fc variables), and M a set of n-tuples of terms. We define t-^M as the set 
of tuples of terms obtained by replacing each instance of x in t with a (possibly 
different) element of M. Formally: t M := {t{si(j) !->■ Xi{j) \ i G [1,A:], j G 
[l,n]}}. It is extended to sets in the usual way: L M := {t M \ t & L}. 
Furthermore, define L"® := L and L*^ := lj„>g We are now ready 

to define the notion of rationality associated to this product: 

Definition 3.1 ([14]). The set Ratn of rational languages ofn-tuples of trees is 
the smallest set of languages containing the finite languages of tuples and closed 
under the following operations: 

1. L G Ratn A M G Ratn L U M G Ratn 

2. L G Ratn A X G A'" A M G Ratm L M G Ratn 

3. L G Ratn A X G A" ^ G Ratn 

The family Rat of rational languages over tuples of terms is the union of all 
Ratn, for n > 1. 

One should note that this notion of rationality differs from the one defined 
in [11], for example, as the concatenation (or ‘series’) product is not directly 
taken into account, and substitution is done simultaneously on several vari- 
ables. From this definition arises a straightforward notion of rational expres- 
sion, which extends the usual notion on words. It should be noted that Rati 
does not coincide with the set of recognizable term languages. For example, on 
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S = the language /(/” Of/” a G Rati is defined by the ratio- 

nal expression /□iD 2 [(/ni 5 n 2 ]*[aa], but it is not a recognizable term language. 

Let us now recall the hyperedge replacement grammars used in [14], which 
generate the rational languages of tuples of terms. In this paper, we will call 
grammar a hyperedge replacement grammar such that every production (A, a) 
has the following properties: 

— the terminal subgraph of a, say at, obtained by removing all non-terminal 
hyperedges from a, is an ordered forest with n connex components (a n-tuple 
of trees), where n is the arity of A, 

— the vertices of a belonging to a hyperedge are leaves of at, 

— no vertex of a belongs to more than one hyperedge. 

These properties allow us to refer to the right-hand sides of this type of grammars 
as ‘leaf-linked forests’. The definition of grammar derivation is the usual one for 
hyperedge replacement. It will be useful to also recall the formal definition of a 
grammar from the point of view of terms, as it is done in the original paper: 

Definition 3.2 ([14]). Given a set X of variables, a production is a pair {A, a), 
where A G AT" (A = Ai...An is called a non-terminal^, a G T{F,X x N)” 
(here X x N denotes the set of numbered instances of variables of X ), and both 
A and a are linear. A grammar is a finite set of productions such that the 
variables occurring in the right-hand sides can be grouped to form instances of 
non-terminals. A step of derivation of a grammar is defined as t 
aj \j G [l,n]} where t is a term word, there is a production {A, a) in G and Ad- 
is an instance of A in t. The language generated by a grammar G from axiom 
A is the set of tuples of ground trees L{G,A) = {w G T(T’)I'‘^I j A -G-q w}. 



Example 3.3. Let A = A 1 A 2 and B = B 1 B 2 B 3 be two non-terminals of respec- 
tive arity 2 and 3. The grammar Gi having rules 



A — > a a \ gAi gA 2 \ fA\Aj f A\A2^ \ fBiB 2 B 3 
B ^A\Al fA\Al 1 gBi gB 2 hB^ 
can be represented as a HR grammar in the following way: 



a a I 
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A A 
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Then a possible production sequence of Gi would be: 
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As expected, these grammars generate the rational languages: 

Theorem 3.4 ([14]). A language of tuples of terms is rational if and only if it 
is the language generated by a grammar. 

A rational language of n-tuples of terms can also be seen as a binary relation 
in T{F)P xT{F)‘^, where p+q = n. In this case, given a non-terminal A, we define 
the first and second projections 7 Ti(A) and 7T2(A) by the set of variables of A 
referring to the first (resp. second) projection of the relation. A similar notation 
is used for right-hand sides of grammar productions as well. For clarity, we write 
a production {A, a) as (A,7 Ti(q;) x 7T2(a)). Without loss of generality, we always 
consider that A = 7ri(A)7T2(A) and a = TTi{a}TT2{o'). For example, if the axiom 
of a T{F)P X T(F)9 relation is A = Ai . . . A„, we can have 7ri(A) = A\ . . .Ap 
and 7T2(A) = Ap^_i . . . Apj^q—ji. 

Example 3.5. Grammar G\ from Ex. 3.3 generates, from non-terminal A, a lan- 
guage L{G\,A) G Rat2, which can be seen as a T{F) x T{F) relation. In this 
case, its rules can be written 

A — a X a I gAi x gAi \ f A\A{ x f A\A3^ \ fBiB2 x B3 

B — > Al Al X fA\Al I gBi 5B2 x hB^ 



4 Term Rewriting Systems 



A (term) rewrite rule is a pair (l,r) G T(F,X)^ such that Var(r) C Var(l). A 
rewrite rule (l,r) is said to be linear if both I and r are. A rewrite system, or 
more specifically term rewriting system is a set of rewrite rules R. A system R is 
finite when |i?| is finite, and recognizable when the potentially infinite number of 
rules is given as a finite union of pairs U ^ V , where U and V are recognizable 
term languages. Note that we only consider systems where the total number of 
distinct variables is finite. A system is linear when all its rules are linear. We 
denote by Dom{R) (resp. Ran{R)) the set of left-hand sides (resp. right-hand 
sides) of R, up to a renaming of the variables. The rewriting according to a 
system R is the relation 



{{c[l<j],c[ra]) G T{F)xT{F) \{l,r)GR A cGGi{F) A ct G S'(F,A)}. 



In case we want to specify that a rule {l,r) is used at some position p (resp. 
set of positions P), we use the notation — >p (resp. — p ). The reflexive 

/,r /,r 

and transitive closure of by composition is called the derivation of R and 
written 



Classification of Rewriting Systems. In the case of words, several natural classes 
of rewriting systems can be distinguished by the way their rules are allowed to 
overlap. In [5], the composition — o — of two rewritings is considered, 
and all the different possibilities of overlapping between the right-hand side of 
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the first rewrite rule, and the left-hand side of the second one are examined. 
By discarding systems where unwanted overlappings occur, one obtains four 
general families of systems whose derivation is proven rational, the families of 
left, right, prefix and suffix word rewriting systems. Moreover, any system which 
does not belong to one of these families may have a non-rational derivation. As 
a consequence, as terms generalize words, we only need to study the extension 
of these four families of systems to terms: the classes of bottom-up and top-down 
systems, which respectively correspond to left and right systems, and the families 
of prefix and suffix systems. A term rewriting system R (resp. its inverse R~^) 
is said: 

— top-down (resp. bottom-up) if any overlapping between a right-hand side r 
and a left-hand side I of R (resp. R~^) is such that r = f[o] and I = oX for 
some (possibly trivial) 1-context f and substitution A, 

— prefix if any overlapping between a right-hand side r and a left-hand side I 
of R is such that I = rX or r = Ip for some possibly trivial substitutions A 
and p, 

— suffix if any overlapping between a right-hand side r and a left-hand side I 
of R is such that I = l[r] or r = f[l] for some possibly trivial 1-contexts f 
and 1. 



The following picture illustrates these four kinds of overlappings: 




top-down 




Prefix and suffix systems respectively generalize root and ground rewriting sys- 
tems. Root rewriting systems are already known to be very powerful: indeed, 
they can simulate the execution steps of Turing machines. This implies a direct 
negative result concerning prefix systems. 

Proposition 4.1. Some linear prefix tree rewriting systems have a non rational 
derivation. 



Proof. Let M be a Turing machine with a set of states Q, a tape alphabet 
P and a set of transition rules PC {Q x P LI {#} Q x P x {-k, — }) (# 
denotes the ‘blank’ character). Let us build a prefix system Rm on the alphabet 
Q U P U {ff}, with variables in {x,y}, where Q is considered binary, P unary 
and an overloaded symbol of arity either 0 or 1. 

For all pA — >■ qB-\- G T, Rm has a rule pxAy — >■ qBxy, plus a rule pxff — >■ qBxff 
if A = #. 

For all pA — >• qB— G T and C € P, Rm has rules pCxAy — >• qxCBy and 
pifAy — >• pffffBy, plus rules p## — >■ qffffBff and pCxff — >■ qxCBff ii A = ff. 
This system has both overlappings of the kind I = ra and of the kind r = la, for 
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some left and right-hand sides I and r and substitution ct. It is thus prefix, and 
neither top-down, bottom-up or suffix in general. It is quite clear that computing 
the derivation of Rm is equivalent to computing the reachability relation of 
M, thus is undecidable. Hence — is non-recursive and can obviously not be 
rational. □ 

However, contrary to the case of words, where prefix and suffix systems are 
dual and share the same properties, the situation is different in the case of terms. 
The family of ground rewriting systems, which is a sub-family of suffix systems, 
has already been studied by several authors. In particular, Dauchet and Tison 
[8] showed that the derivations of ground systems can be recognized by a certain 
type of composite automata called ground tree transducers (GTT). Section 6 
will use similar arguments in order to prove that, more generally, any suffix 
system has a rational derivation. The two remaining families of term rewriting 
systems we consider, namely top-down and bottom-up systems, are dual. The 
next section puts focus on top-down systems, but all the results extend to the 
bottom-up case (see Corollary 5.5). 



5 Derivation of Bottom-Up and Top-Down Systems 



This section focuses on the study of top-down term rewriting systems and their 
derivations. For any finite linear top-down system, a grammar of tuples of terms 
generating its derivation relation can be built, which implies that this relation 
is rational. Furthermore, from the shape of the grammar, we observe that the 
derivation of such a system preserves the recognizability of term languages. Dual 
results can be obtained for bottom-up systems: the derivation of a linear bottom- 
up system is rational, and the inverse image of a recognizable term language is 
still recognizable. 

Let us first observe that top-down systems enjoy a kind of monotonicity 
feature. Any rewriting sequence of such systems is equivalent to a sequence 
where the successive rewriting steps occur at non-decreasing positions in the 
input term. We call this top-down rewriting. Let i? be a term rewriting system, 
we define its top-down rewriting by: 



R 



I J A- with 

^ R 



n>0 




IdT{F) 



Upi,... 



Pi 



o . . . o 




Pn 



such that the rewriting positions do not decrease along indexes (Vt, j, i < j ^ 
~'{Pj < Pi)) 1 and if two successive positions are equal then the second rewriting 
should not have a trivial left-hand side {{pi = Pi-i) (wi ^ A)). This last 
condition means that, for instance, the sequence 



[rcr] — > c[r'{x I— rcr}] 



c[la] 



l,r 



C 
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is not top-down, because the second rule produces its right-hand side ‘higher’ 
than the first one. The rewriting steps should be swapped to obtain the top-down 
sequence 

c[/cr] — ^ c[r'{x la}] pos{x,c[r']) c[r' {x rcr}]. 

x,r' l,r 

The next lemma expresses the fact that, given any rewriting sequence of a top- 
down system, rewriting steps can always be ordered into an equivalent top-down 
sequence. 

Lemma 5.1. The relations of derivation and top-down derivation of any top- 
down term rewriting system R coincide: — = 

We are now ready to prove the rationality of the derivation of any top-down 
rewriting system. Using this property of top-down systems, it is possible to build 
a grammar which directly generates the derivation of any such system. This 
grammar mimics the way a rational word transducer works, using its control 
state to keep in memory a finite subterm already read or yet to produce. 

Theorem 5.2. Every finite linear top-down term rewriting system R has a ra- 
tional derivation. 

Proof. Let i? be a finite linear top-down system. We denote by O the set of all 
overlappings between left and right parts of rules of R: 

0 = {teC„(F,X) I 3 sgCi(F,X), 

u G T(J^, X)", s[t] G Ran{R) A t[u] G Dom{R) }. (1) 

Remark that □ belongs to O. We will now build a grammar G whose language is 
exactly the derivation of R. Its finite set of non-terminals is {<*>} U Q, where 
Q = { <t> = <t>i ... <t>n+i I t G O n Cn{F)} and, for all <t>G Q, 
7!"2(<t>) is a single variable. The production rules of G are of four types. 

Type (1): V / G U„, 

<□> / <□>} . . . <D>^ X / <D>^ . . . <D>^ 

<*> / <*>^ ■ ■ ■ <*>” 

Type (2): V t G O n C„(F), t[u] G O n Cm{F), 

<t> — >• M[7ri(<t[u]>)] X 7r2(<t[u]>) 

Type (3): V t[u] GO, t G O fl Ge{F) (necessarily {ui, . . . ue] C O), 

<t['u]> — >■ 7Ti(<Mi>) . . . 7ri(<Uf>) X t[7T2(<Ul>) . . . 7T2(<'U£>)] 

Type (4): V (t[u], s[w]) G i?, v = v\ . . .vi (necessarily {t,v\,. . . w„} C O), 

<t> ua X s[tT2{<Vi>) . . .TT2{<Vi>)] 
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<□> 



Type (1) 



/ / 

/ \ >< / \ 

<□><□> 



<♦> 



/ 

/ \ 

<♦> <*> 



where 



A* A 



Fig. 1. Grammar associated to a top-down system. 



where cr is a variable renaming such that for any variable x of u, (t{x) = <Vi>j 
if X is the j-th variable to appear in Vi (from left to right), and <7(x) = <*> if 
X does not appear in any of the Vi. Figure 1 illustrates the four types of rules. 

Intuitively, the role of this substitution is to gather into the same non- 
terminal or hyperedge all the variables of u belonging to the same Vi, while 
respecting the order in which these variables appear in Vi. This way, a correct 
instantiation of non-terminals of G is ensured. If a variable of u does not ap- 
pear at all in v, then it means that a whole input subtree is ‘discarded’ by the 
rewriting rule being applied. Thus the grammar should accept any subtree to be 
generated at this position, which is the role of the unary non-terminal <*>. 

For simplicity, we will only consider type (4) rules in which t,v\, . . .Vn are 
maximal. The other cases can be simulated by suitable finite compositions of 
rules of types (2), (3) and (4). □ 

Example 5.3. Consider the linear top-down system R over the alphabet F = 
{/(2), gW,/iW,a(o)} with a unique rule fgxgy — >■ hfxy. The corresponding 
grammar is the grammar of Ex. 3.5 where each non-terminal stands for one of 
the possible overlappings of rules of R: A stands for □ and B for /□iD 2 . Note 
that type (4) rules with non-maximal overlappings have been discarded. This 
example also illustrates the fact that the inverse image of a recognizable term 
language by the derivation of a linear top-down system is not recognizable in 
general: for instance, the image by Rq^ of h* faa is {h* fg^ag'^a | n > 0}, which 
is not recognizable. 

We will now mention a property of top-down systems, which has been known 
for the past few years for larger classes of systems. 

Proposition 5.4. The image of any recognizable term language by the deriva- 
tion relation of a finite linear top-down term rewriting system is recognizable. 

Top-down systems form a strict subfamily of generalized semi-monadic term 
rewriting systems [10], which is itself a strict subfamily of right-linear finite path 
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overlapping systems [15]. Both classes have been proven to preserve recogniz- 
ability. As a consequence, this is also the case for top-down systems. However, 
it should be mentioned that neither of these classes has a rational derivation. 
Indeed, it is quite easy to find a generalized semi-monadic system whose deriva- 
tion cannot be recognized by any finite mechanism. For instance, the general- 
ized semi-monadic system whose unique rule is gx — >■ fgfx clearly has a non- 
rational derivation: its intersection with the rational relation ga x f*gf*a is 
ga X {/"(?/"a|n > 0}. By the usual pumping arguments (adapted to this new 
setting), this relation is not rational. 

Finally, please note that the inverse of a top-down system is, by definition, 
bottom-up. For any top-down system we can build a grammar G recognizing 
Thus, the grammar 7r2(G)7Ti(G') obtained by swapping both projections of 
G generates the derivation of the bottom-up system R~^ . Inverse recog- 

nizability preservation follows. 

Corollary 5.5. Every finite linear bottom-up term rewriting system R has a 
rational derivation and the inverse image by — >-Jj. of any recognizable term 
language is recognizable. 



6 Derivation of SufRx Systems 



This section presents a study of the derivation relations of suffix term rewriting 
systems. After introducing a property related to the notion of suffix rewriting, 
we show that the derivation of any recognizable linear suffix system is rational. 
Finally, we prove that the image or inverse image of any recognizable term 
language by the derivation of a recognizable linear suffix system is recognizable, 
and that it is possible to build a tree automaton accepting it. 

Definition 6.1. The suffix rewriting of a term rewriting system R is the relation 



— ^ = [{c[la],c[ra]) &T{F,XY \ (l,r) & R A c&Gi{F) 

Ft 

A a&S{%,X) bijective^ 

(a bijective substitution in S{ib,X) is a bijective variable renaming over X). 



Suffix systems have a specific behaviour with respect to suffix rewriting. 
Indeed, the derivation of any input tree t by a suffix system can always be 
decomposed in two phases. First, a prefix t of t is read, and several steps of 
suffix rewriting can be applied to it. Once this first sequence is over, f has been 
rewritten into a prefix s of s, never to be modified anymore. In a second time, 
the rest of t is derived in the same fashion, starting with suffix rewriting of a 
prefix of the remaining input. As a consequence, the derivation of a suffix system 
is equivalent to its ‘iterated’ suffix derivation. 
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Lemma 6.2. For any suffix term rewriting system R, 

3 s,t G T{F, X), a,T £ S{F, X) s = sa A t = tr 
A s — ^ t A yx £ Var{s) fl Var{t), a(x) r(x). 

Another interesting property is that, for any recognizable system, a suffix 
rewriting sequence is always equivalent to a sequence in two parts, where the 
first part only consumes suffix subterms of the input term, and the second part 
only produces new suffix subterms in their place. 

Lemma 6.3. For all recognizable linear term rewriting system R over F and 
X , there exist a finite ranked alphabet Q and three finite rewriting systems 

- R- C {px -A fpiXi . . -PnXn \ f £ F, p,Pl,... , p„ £ Q, X,Xi,. . . ,Xn £ 
X*} 

- R= C {px ^ qy \ p,q £ Q, x,y £ X*} 

- R+ C {fpiXi . . .PnX„ -A px \ f £ F, p,pi, ... ,Pn £ Q, X,Xi,... ,X„ £ 

X*} 

Jjt * * 

such that s — H t <1=^ s — H o — H t. 

R R+UR= R-UR= 

Lemma 6.3 can be reformulated in the following way: a pair (s,t) of terms 
belongs to the suffix derivation of a system R if and only if there is a context c 
such that s = c[si . . . s„], t = c[ti . . . t„] and for all i £ [1, n], there is a term qiXi 
such that and qiXt^*j^_^jj^^U. 

Theorem 6.4. Every recognizable linear suffix term rewriting system R has a 
rational derivation. 

Proof. Let i? be a recognizable linear suffix system on T{F, X). Let i?+, R= and 
R- be the rewriting systems mentioned in Lemma 6.3. Let iV be a set of pairs 
of the form u\v where u and v are two linear term words over Ran{R.i^ U i?=)* 
and Dom{R- U R=)* respectively. Note that Ran and Dom are defined up to 
a renaming of the variables. We can thus impose that u and v share the same 
set of variables {Var{u) = Var{v)), and there is no pair of strict subwords u' 
and v' of u and v such that Var{u') Var(v') (i.e one should not be able to 
split u\v in two correct non-terminals). This, together with the facts that F is 
finite and u and v are linear, implies that N is finite for some fixed, standard 
variable renaming. Thus, given an axiom I, we can build a grammar G whose set 
of non-terminals is iV U {/,/'}, having the following finite sets of productions: 

y f&F, 

I fll...I^ X fl{...I^ and I' (2) 

y px £ Dom{R- U i?=) n Ran{R+ U R=), 

I — > px\px (3) 
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V u' — u, V — v', u' G Ran{R+)* , v' G Dom{R-)* , 

u\v — >■ u'\v' (4) 



V Ml = PiXi . . .piX^, U2 = Pj + lXj + i . . .PnXn, 

V = qiVi ■ ■ ■ qmVm, fPi+iXi+i . . .pjXj R+px, 

UipXU2\v )> Pi . . . p^{fpi+l . . . Pj) Pj + i . . . p„ X Vi...Vm (5) 



\/ u = piXi . . -PnX„, Vi = qiyi . . .qiPi, 

V 2 = qj+iPj+1 . . . qmym, qyR- fqi+ly^+l ■ ■ ■ qjVj, 

u\vi qyv 2 — Pi---Pn X VI...V, {fu i+1 ■ • • ^j) ^i+1 • • • (6) 

In rules (5) and (6), all the {pk)k£li,n] and {k'k)k£[i,m] are variables belonging 
to instances of non-terminals m'|m' G N where u' and v' are built from terms 
iPkXk)k(^[i,n] and {qkyk)k(^[i,m] respectively. Variables pi to pn (resp. vi to lym) 
appear only in the first (resp. second) projection of any non-terminal. Note that 
this instantiation is unique, by construction of the set N. It is also always possible 
since every rule of R is, by hypothesis, linear. 

Call p the substitution which maps each non-terminal variable (u\v)i to the 
term {u)i if i G [1, |m|] and to (m)i if z G [|m| -I- 1, |m| -I- |m|], and each non-terminal 
variable (dj)je[i, 2 ] to a variable Xi. It is clear from the rules of Go that: 

I S X t sp H O H tp. (7) 

Go fl+Ufl= 

We will not detail the proof of this observation. Notice that this grammar works 
in a very similar way to a ground tree transducer, which is the formalism used 
by [8] to recognize the derivation of a ground system. The only difference is that 
we keep track of the variables appearing in the left and right projections of the 
relation, so as to be able to resume the rewriting at relevant positions. Now add 
to Go the set of rules 

\f X € X such that xRpx, qxRx, px\qx — > I (8) 

px\ — > r (9) 

and call this new grammar G. These last rules allow the derivation to go on 
properly after a first sequence of suffix rewritings has taken place, by creating 
new instances of the axiom between leaves where the same variable would appear. 
By Lemma 6.2, G generates — □ 

Proposition 6.5. The image and inverse image of any recognizable term lan- 
guage by the derivation of a finite linear suffix term rewriting system is recog- 
nizable. 

Proof sketch. Once a grammar generating the derivation of a suffix system R 
is built, according to the previous proof, it is not difficult to synchronize the 
left projection of this grammar with any finite top-down tree automaton A. We 
thus obtain a new grammar, whose second projection yields a finite automaton 
accepting the image of L{A) by — This is symmetrical, hence the converse. □ 
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We will illustrate the fact that suffix systems are strictly more general than 
ground systems on the following simple example. 

Example 6.6. Consider the finite suffix system R = {fxy — >■ fyx, a — >■ ga} 
over the ranked alphabet The first rule of R allows to swap at 

any time both children of an /-node. This somehow expresses the commutativity 
of /. The derivation of R (restricted for the sake of clarity to {fg*ag*a)^) is the 
relation {{fg^^ag'^a, fg^ag"^a) \m,n > 0} D {{fg"^ag^a, fg"^~^^ag^a) \m,n > 
0} U {{fg"^ag^a, fg'^ag"‘^^a) \ m,n> 0}, which is not recognizable by a ground 
tree transducer. 

Furthermore, we claim that the transition graph of this rewriting system 
is not isomorphic to the transition system of any (recognizable) ground term 
rewriting system as defined in [12,7]. Note: the transition graph of a rewriting 
system is the graph whose vertices are the terms from the domain or range of 
the system, and whose edges are all the pairs (s, t) such that s can be rewritten 
to t in one step. 

7 Conclusion 

This paper extends the left, right, prefix and suffix word rewriting systems de- 
fined in [5] to bottom-up, top-down, suffix and prefix term rewriting systems. The 
derivation relation of the three first types of systems can be generated by finite 
graph grammars, while systems of the fourth type have a non recursive derivation 
in general. We also stated some recognizability preservation properties of these 
classes of systems, and provided effective constructions in each case. Although 
[15] defines a class of recognizability-preserving rewriting systems strictly more 
general than top-down systems, they do not aim to provide a construction for 
the derivation relation itself, which is indeed not rational. As for suffix systems, 
to our knowledge, no comparable class of recognizability-preserving systems has 
been defined yet. 

This study puts in practical use the notion of rationality defined in [14], 
which nicely extends the usual rational relations on words, even though some of 
their key properties are missing, like the closure by composition or systematic 
preservation of recognizability. However, this formalism is an interesting and 
powerful work basis for the study of binary relations on terms, especially thanks 
to the fact that it is general enough to extend asynchronous transducers (which 
is not the case of most other formalisms). Still, depending on one’s objectives, 
it might be necessary to devise a more restricted notion of rational relations 
on terms, which would be closed under composition or preserve recognizability 
(or both). Note that [14] contains the definition of such a subfamily of relations 
(called rational transductions) . However, it can be shown that the derivations of 
some top-down systems do not belong to this class. 

Finally, it could be interesting to look for extensions to some of the existing 
works previously mentioned. First, one may try to elaborate actual verification 
methods using our systems to model transitions, and recognizable term languages 
for sets of configurations, along the ideas of regular model-checking [2]. Indeed, 
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being able to effectively build the transitive closure of the system’s transition 
relation and compute the image of regular sets of configurations could lead to 
interesting results. Second, the definitions from [12] and [7] about transition 
graphs of ground systems, should extend smoothly to the case of suffix systems. 
Thus, it would be meaningful to determine whether part or all of their results 
extend to this new family, and in particular whether the transition graphs of 
suffix systems have a decidable first order theory with reachability. Note that, 
as illustrated in Ex. 6.6, we suspect that the transition graphs of suffix systems 
strictly include the former families of graphs. 
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Abstract. Labelled Markov processes (LMPs) are automata whose 
transitions are given by probability distributions. In this paper we 
present a ‘universal’ LMP as the spectrum of a commutative U*-algebra 
consisting of formal linear combinations of labelled trees. We characterize 
the state space of the universal LMP as the set of homomorphims from 
an ordered commutative monoid of labelled trees into the multiplicative 
unit interval. This yields a simple semantics for LMPs which is fully ab- 
stract with respect to probabilistic bisimilarity. We also consider LMPs 
with entry points and exit points in the setting of iteration theories. We 
define an iteration theory of LMPs by specifying its categorical dual: 
a certain category of C*-algebras. We find that the basic operations for 
composing LMPs have simple definitions in the dual category. 



1 Introduction 

This paper is concerned with the semantics of certain probabilistic labelled tran- 
sition systems, called labelled Markov processes (or LMPs) [9,11,7,8]. Proba- 
bilistic models are important for capturing quantitative aspects of process be- 
haviour, such as performance and reliability, e.g., the average response time to 
a given action, or the probability with which a failure occurs. For this reason 
there has been a lot of research into adapting the concepts and results of classical 
concurrency theory to the probabilistic case. In particular, the notion of bisim- 
ilarity has been adapted to probabilistic systems [18,9,17], and its equational 
theory investigated in [22,4,19] amongst many others. 

The bisimulation equivalence classes of LMPs can be gathered together into 
what could be termed a universal LMP. This object has previously been stud- 
ied as the solution of a domain equation in the category of complete metric 
spaces [7], and in the category of coherent domains [11,8]. However, none of 
these domain-theoretic treatments yielded concrete representations of the ele- 
ments of the universal LMP. 
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In this paper we exploit Stone-Gelfand-Naimark duality for commutative 
C*-algebras to show that the universal LMP has a very straightforward charac- 
terization as a space of order-preserving monoid homomorphisms from a partially 
ordered monoid T of trees to the multiplicative monoid [0, 1]. 

We think of the elements of T as branching traces or trace trees. Formally they 
are just finite trees whose edges are labelled by events from a given alphabet. The 
operation of grafting two such trees at the root gives the monoid multiplication 
in T. The order on T is the natural generalization of the prefix order on traces. 
For a given LMP the corresponding homomorphism maps each trace tree to the 
probability that it gets performed. 

In an earlier paper [8] we showed that two processes are bisimilar iff they 
perform each trace tree^ with the same probability. This generalized a result of 
Larsen and Skou [18]. The main result of this paper can be seen as extending 
this characterization to ‘build processes out of trace trees’. This is a natural 
variation of the familiar trace models of abstract machines. 

The main mathematical tool that we use is the theorem of Stone asserting a 
dual equivalence between the category of compact Hausdorff spaces and contin- 
uous maps on the one hand, and the category of commutative real C'*-algebras 
(a full subcategory of the category of commutative rings) on the other hand. 
This duality associates to each compact Hausdorff space the ring of continuous 
real-valued functions on the space, and to each C*-algebra its spectral space of 
characters', the ring homomorphisms into K. We apply the duality to recover 
the universal LMP as the spectrum of a C*-algebra consisting of formal linear 
combinations of trace trees. 

The concrete representation of the universal LMP, obtained in the first part 
of this paper, opens a new, effective approach to composing LMPs. In particu- 
lar, we augment the basic model of LMPs with entry and exit points, and study 
some basic combinators, such as sequential composition, probabilistic choice and 
iteration. Thus we obtain a category whose objects are finite sets, and where a 
morphism 5 : X — >■ T is an LMP with entry points X and exit points Y . We 
show that this category is dual (contravariantly equivalent) to a category of com- 
mutative rings consisting of C*-algebras of trace trees. Represented through this 
duality, the basic combinators for LMPs have remarkably simple descriptions. 



1.1 Related Work 

Kozen [15] presents a predicate-transformer semantics of an imperative program- 
ming language with probabilistic choice. This semantics is based on a duality 
between linear maps and probabilistic relations, and is formalized in the setting 
of iteration theories. The same themes of duality and iteration theories appear in 
the present paper, but our development is in the context of interactive processes 
rather than imperative programs. In particular, for us states are not just mea- 
surable functions on a space of variables as in [15], but have a recursively-defined 
structure. 

^ In fact we took the view that trace trees are types of button-pressing tests. 
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An iteration theory of probabilistic processes has been studied by Aceto, Esik 
and Ingolfsdottir [4], building on earlier work of Stark and Smolka [22]. These 
two papers treat finite-state LMPs as terms in a simple probabilistic process 
calculus. Their main contributions are soundness and completeness results for 
axiomatizations of the bisimilarity relation. Since these papers deal with process 
calculi, the basic operations of prefixing, probabilistic choice and iteration are 
defined at the syntactic level using an operational semantics. These operations 
are then lifted to bisimulation equivalence classes of terms using the fact that 
bisimilarity is a congruence. In contrast, we use a concrete representation of 
bisimulation equivalence classes of LMPs as maps of C*-algebras, and define 
the basic operations directly on these representations. 

One of the most comprehensive applications of duality in semantics can be 
found in the work of Abramsky on domain theory in logical form [1]. This work 
is based on a Stone-type duality between a category of spectral spaces (SEP 
domains in their Scott topologies) and a category of distributive lattices. As 
a case study, Abramsky considers a domain for bisimulation and computes its 
spectrum. In this we paper we compute the spectrum of a domain for proba- 
bilistic bisimulation. However, so far our work is much more modest in scope; in 
particular we have not tried to isolate a fragment of the duality for C*-algebras 
that is pertinent to any reasonable category of domains. 

Another paper close in spirit to the present work is Abramsky and Vickers 
[2] . They consider a variety of equivalences for concurrent processes in a unified 
framework of quantale modules — actions of quantales on sup-lattices. In partic- 
ular, they present quantales of tests using generators and relations, and model 
transition systems as right quantale modules (where the elements of the quan- 
tale act on states of the transition system) . Using the self-duality of the category 
of sup-lattices they obtain left quantale modules of ‘process capabilities’ which 
they use to build fully abstract models of processes. 

Di Pierro, Hankin and Wicklicky [21] use C*-algebras to define abstract 
interpretations of probabilistic transition systems. These C'*-algebras are non- 
commutative operator algebras, but we believe that exploring connections with 
this work merits futher investigation. 



2 Labelled Markov Processes 

Below we give the formal definition of the class of probabilistic transition systems 
that we study in this paper. This definition extends that of Larsen and Skou [18] 
by including entry points and exit points as part of the basic data. For a similar 
treatment of labelled transition systems, see [6]. 

Assume a fixed finite set Act of actions or events. Given a set S, a sub- 
probability distribution on S' is a non-negative real-valued function on S with 
countable support and total mass no greater than 1. 

Definition 1. Given finite sets X and Y of entry points and exit points, a 
labelled Markov process S : X ^ Y is a tuple (S, i, p,) consisting of a set S of 
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states, an injective function l: X ^ S and, for each s € S, a sub-probability 
distribution yis on (Act x S') + y. 

Given s € S and a € Act, p,s{a,f) is the probability that the process in 
state s makes an a-transition to t € S; p,s{y) is the probability that it makes a 
transition to the exit point y €Y. Note that fig is a sub-probability distribution 
on (Act X S) + y. We interpret the difference between the total mass of /i„ and 
1 as the probability of refusing all actions. We also adopt the notation iis,a for 
the sub-probability distribution on S given by pis,a{t) = pLs{a,f). 

Apart from the presence of entry and exit points, Definition 1 differs from 
the notion of LMP in [9,8] in that, for each state s, the fig, a are components 
of a single transition probability distribution, rather than being an arbitrary 
family of probability distributions. In the terminology of [14] we are using the 
generative model as opposed to the reactive model. Also, to keep things simple, 
we only define LMPs with discrete probabilites. However, all our results hold 
for the more general case where the state space of a LMP is a measurable space 
and the transitions are given by sub-probability measures (see [9,8]). This more 
general type of LMP briefly features in the definition of a universal system in 
Section 7. 

Probabilistic bisimilarity [18] (henceforth just bisimilarity) is the probabilis- 
tic analogue of strong bisimilarity for labelled transition systems. It gives a 
branching-time notion of behavioural equivalence for LMPs. 

Definition 2. Let S = {S, i, p) \ X ^ Y be an LMP. An equivalence relation R 
on S is a bisimulation if sRt implies that 

— for each a G Act and R-equivalence class A, p,g^a{A) = fj,t,a{A), 

- for each y GY, p,g{y) = p,t{y). 

We say that two states are bisimilar if they are related by some bisimulation. 

In words: an equivalence relation is a bisimulation if related states have 
matching probabilities of making transitions into any equivalence class and into 
any exit point. 



3 Operations on LMPs 

In this section we define some operations for composing LMPs. These are the 
counterparts on the semantic level of constructs that might be found in a typical 
process calculus. In particular, processes with exit points correspond to terms 
with free variables, composition corresponds to substitution of terms, and itera- 
tion corresponds to the application of the recursion operator. These definitions 
will later form the basis of a category in which LMPs are morphisms. 

Elements. Given a finite set X, each element x G X determines an LMP 
x: 1 — >■ A with one state *, where * makes a transition to output x G X with 
probability 1. Formally x = ({*},(., /i), where /x*(x) = 1. 
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Tupling. Let S\ X ^ Z and S' .Y — >■ Z be LMPs with S = {S, l, fj,) and 
S' = The tuple {S,S') : X + Y — >• Z is obtained by taking the 

coproduct of S and S', and identifying the outputs. Formally, {S,S') = {S + 
S', i", p), where l" = b + i' \ X + Y S + S' , and 

{ pLs{v) if s G S', w G (Act X S) + Z 
if s G S', V G (Act x S') + Z 
0 otherwise . 

Composition. Let S\ X ^Y and S' \Y — >■ Z be LMPs with S = (S,b,fY) 
and S' = (S', t', p'). The composition (S^S') : A — >• Z is obtained by connecting 
the outputs of S with the inputs of S'. Formally S ? S' = (S + S', b" , p), where 
6" = (S — >■ S + S') o b, and 

{ pLs{v) if s G S, w G (Act X S) 

EysF IJ's{y)p[>y{v) iisG S,vG (Act X S') + Z 

p,'s{v) if s G S', G (Act X S') + Z . 

Thus composition is given by integration, just as in the category of stochastic 

relations studied in [3]. 

Iteration. Given S: X ^ X + Y with S = (S, b, p), the iterate S^ : A — >■ T 
is obtained by connecting each exit point cc G A to the corresponding entry 
point. Writing S^ = (S, b, p), we define p so as to satisfy: 

Psiy) = ps(y)+'^ Psi.x)p,:,{v) (1) 

x£X 



for s G S and v G (Act x S) + Y. 

The definition of p relies on the Kleene-* operation for matrices over the 
semiring (see Appendix A). Write A = {x\, . . . , x„} and Y = {yi, . . . , pp}. 
Let A be the n x n matrix with Aij = Pixiixj) and B the n x p matrix with 
Bij = Pixiiyj)- We first define the transition behaviour of the entry states by 



Ptxiiyj) = {A*B)ij and p,xi{a,t) = {A*v)„ 

where v is the column vector whose j-th entry is ppxj){o,A)- Now the definition 
of ps for s € S \ Range(i) can be read off from Equation 1. 

Probabilistic Choice. Let A be a finite set, A A + A A a 
designated coproduct, and 0 ^ r ^ 1 a real number. We define the LMP : 
A — >■ A + A by ©r = (A, idx,p), where pxiAbi{x)) = r and Pxiyo. 2 {x)) = 1 — r 
for each x G A — that is, state x selects output ini (a;) with probability r and 
output iu 2 (a;) with probability 1 — r. Given LMPs S,S' : X ^ Y, we write S(BrS 
for ©r ? {S,S'). 
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The above operations form the basis of the iteration theory of LMPs de- 
fined in Section 8. More precisely, this theory is predicated on LMPs modulo 
bisimilarity, where the bisimilarity relation is extended from states to LMPs in 
the definition below. 

Definition 3. Let S,S' : X ^ Y be LMPs, and let the tuple {S, S') be defined 
relative to a designated coproduct X X + X X . We say that S and S' 

are bisimilar, written S ~ S', if there is a bisimulation R on the tuple {S,S') 
which relates entry points ini(a;) and in 2 (cc) for each x € X. 

4 A Monoid of Trace Trees 

In this section we present a grammar for a class of trees corresponding to 
branching-time traces of an LMP. This language (minus exit actions) corre- 
sponds to the test languages of [18,8] which were shown to characterize, respec- 
tively, similarity in labelled transition systems, and probabilistic bisimilarity in 
labelled Markov processes. 

Fix a finite set Y (corresponding to the exit points of an LMP). The language 
of trace trees is generated by the grammar 

r ::= 1 | j/ | or | t • t (2) 



where a € Act and y € Y. 

A trace tree is either the null tree 1, an exit action y € Y, a prefixing ar, or a 
branch point ti • T 2 . Note the distinction between prefixing (which is denoted by 
mere juxtaposition) and branching. We will typically elide the symbol 1 when 
denoting non-trivial trace trees, e.g., we write a ■ be for al • bcl. Without the 
branching construct the grammar above would just specify a language of 
traces. In order to physically realize a branching-time trace one would need to 
be able to duplicate the process at any point in a run, for instance, via a save- 
and-restore construct. 

Definition 4. Given an LMP S: X ^ Y , with S = {S, l, p), for each s G S we 
define ts{s): the probability that s performs tree r. 

- l5(s) = 1. 

- = h-siy)- 

- {aT)g{s) = f Tsdps,a- 

- (ti • T2)5(s) = (ri)5(s)(T2)5(s). 

The null tree is performed with probability 1 in any state. The probability 
that ar is performed in any given state is the weighted average of the probability 
that r is performed in the next state after an a-transition. The last clause says 
that probability of performing an immediately branching tree ti-T 2 is the product 
of the probabilities of performing each branch. 

For determining an LMP up to bisimilarity, only the behaviour of states 
reachable from the entry points matters. Given S'. X ^Y, for each x € X 
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we define the real- valued function Sx on trace trees by Sx{t) = Ts{ix). Thus 
Sx{t) is the probability that S does t on input x. The following theorem is a 
generalization of the main result of [8] to allow for LMPs with entry and exit 
points. 

Theorem 5. Let S,T'. X ^ Y be LMPs. Then S and T are bisimilar iff Sx = 
Tx for all X G X . 

Having used trace trees to characterize equivalence of states, we consider the 
dual problem: when are two trees equivalent in that each state performs them 
with the same probability? More generally, we define a preorder ^ on trace trees 
by T ^ r' iff Tg ^ for all LMPs S. The key to constructing a model for 
LMPs that is fully abstract with respect to bisimilarity is to axiomatize this 
preorder. As a first step, notice that the map (— preserves the equations below. 
These say that the set of trace trees forms a commutative monoid equipped 
with the smallest partial order in which 1 is the top element and prefixing and 
multiplication are monotone. 

1 • T = T T ^ 1 

Ti • T2 = T2 • Ti Ti • T < T2 • T if Ti < T2 

Tl ■ (t 2 • T3) = (ti • T2) • T3 an < GT 2 if n < T 2 

We denote the resulting partially-ordered monoid by T[T]. Thus we have a 
monoid for each set Y of exit actions. 

5 Stone-Gelfand-Naimark Duality 

Our basic reference for this section is the monograph of Johnstone [16]. We define 
C*-algebras to be certain types of commutative rings. The category C*-Alg is 
the resulting full subcategory of CRng. Here we should emphasize that we take 
C*-algebras to be algebras over K as opposed to the more standard presentation 
as algebras over C (cf. Naimark [13, Theorem HI. 2.1]). 

Let A be a commutative ring. Since we are primarily interested in rings of 
functions, we use f,g to denote typical elements of A. We say that A is an 
ordered ring if it is equipped with a partial order satisfying 

/ • < /' • if / < /', 5 ^ 0 

We say that an ordered commutative ring A is Archimedean if for all / there 
exists a positive integer n with / ^ n • 1. If the additive group of A is torsion- 
free and divisible, so that A admits a Q-algebra structure, then we may define 
a seminorm^ on A by 

11/11 = inf{(j G Q I -(? • 1 a g- U}. (3) 

^ Non-zero elements can have norm zero. 
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Definition 6. A commutative ring A is a real C'*-algebra if 

~ the additive group of A is torsion free and divisible, and 
— A possesses an Archimedean partial order such that Equation 3 defines a 
norm with respect to which A is complete. 

In a C*-algebra it turns out that / ^ 0 iff / is a square. Thus the partial order is 
determined by the ring structure, and ring homomorphims between C'*-algebras 
are automatically order preserving. 

Definition 7. A character of a C* -algebra A is a ring homomorphism 
>-R. The spectrum of A, denoted spec^, is the space of characters of 
A in the Zariski topology, which is generated by the cozero sets coz(/) = {ip : 
tU) 7^ 0} where f G A. 

The spectrum of a C*-algebra is a compact Hausdorff space. Conversely, the 
ordered ring C*{X) of continuous real- valued functions on a compact Hausdorff 
space X is always a C*-algebra. This association of compact Hausdorff spaces 
and C*-algebras is functorial, and is in fact a dual equivalence: 

Theorem 8 (Stone). The category KHaus of compact Hausdorff spaces and 
continuous maps is dually equivalent to C*-Alg. 

6 A Family of C*-Algebras 

In this section we extend the monoid of trace trees to a C'*-algebra whose spec- 
trum is the state space of a universal LMP. 

Fix a set Y of exit points. We extend the grammar (2) for trace trees to 
a grammar of functional expressions by allowing rational linear combinations. 
Thus functional expressions are given by 

/ ::= g I 2/ I a/ I /• / I / + / (4) 

where a G Act, y GY and q G Q. 

We will use the letters / and g to denote functional expressions. We adopt 
the convention that a term denoted r has been generated using only the sub- 
grammar (2). We reserve the phrase trace tree for such terms. 

We use functional expressions as generators in a presentation of a family of 
ordered rings 0[T], where the index Y indicates the dependence on the finite 
set Y of exit variables. In this presentation acts as multiplication, 1 is the 
multiplicative identity, and -I- acts as addition in 0[T]. 

The relations in the presentation of 0[T] include the equations for an ordered 
ring: the Abelian group axioms for -I-, the commutative monoid axioms for 
the distributive law of over -I-, and axioms asserting the compatibility of the 
order relation with the ring structure. To these we add Equations 5-8 below. The 
effect of these equations is to fix the semantics of prefixing as integration against 
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a sub-probability measure. Note that the distributive law (8) implies that every 
functional expression is equal to a linear combination of trace trees. 



o^y (5) 

a/ < ag if / < 5 (6) 

X^aSAct ® 2/^1 ('i') 

a{qi ■ f + q 2 ■ g) = qi ■ af + q 2 ■ ag (8) 



Definition 9. Define 0[F] to be the free ordered ring^ generated by the set of 
functional expressions and satisfying Equations 5-8. 

Proposition 10. 0[F] is a torsion-free divisible Archimedean ordered ring. 

0[y] is Archimedean since each functional expression is equal to a linear 
combination of trace trees, and each trace tree t satisfies r ^ 1. 

Definition 11. Define the C* -algebra A[F] to be the Cauchy completion o/0[F] 
in the norm (3). The ring operations on 0[F] are non-expansive in this norm, 
so they extend to A[y]. 

Proposition 12. A[F] is the free C* -algebra over^3)\Y] qua ordered ring. 

Remark 13. Combining Definition 9 and Proposition 12 we see that in order to 
specify a ring homomorphism from A[F] to a C'*-algebra R it suffices to give an 
interpretation of the functional expressions in R such that the relations in the 
presentation of 0[P] all hold. Since the interpretations of -I- and • are forced, 
this boils down to interpreting prefixing a(— ) and exit actions y G Y. 

Given a set S, write C*{S) for the ring of bounded real- valued functions on 
S. This ring is a C*-algebra (cf. [16]). 

Definition 14. Let S: X be an LMP with S = (S', i, p,). We define a ring 
homomorphism 



A[y] 




C*(S) 



by the following clauses: 



{af)s{s) 

iy)s{s) 




Ts{y) ■ 



Furthermore we define Sx G specA[F] by Sx{f) = fs(i'X). 

Note that this extends Definition 4. Indeed, since every element of 0[F] is equal 
to a linear combination of trace trees, an element of spec A [P] is determined by 
an order-preserving monoid homomorphism T[P] — >■ [0, 1] satisfying Equation 7. 

® Note in passing that the existence of a free ordered ring on a given set of generators 
and relations follows from the existence of free algebras for Horn theories. 
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7 Universal LMPs 

In this section we define a universal LMP U\Y] : 0 — >■ F on outputs Y . The state 
space oiU\Y] is spec A [T]. In order to manufacture the transition probabilities 
we use the Riesz representation theorem [20]. 

Theorem 15. (Riesz) Let K he a compact H aus dor jf space and ip: C*{K) — >■ K 
a positive linear map, i.e. p{f) ^ 0 whenever / ^ 0. Then there is a unique 
positive Borel measure p on K such that p{f) = f fdpL for all f G C*{K). 

The transition behaviour of G spec A [T] is given by a sub-probability 
measure on (Act x spec A[F]) -|- Y which is defined as follows. First, 
the probability of making a transition to the exit y € Y, is defined to be (p{y). 
Next, given a G Act, let v?o:-^[U — >■ R be defined by ipa(f) = 'F(o/)- The 
distributive law (8) ensures that pa is a linear map. Also, pa is positive since p 
is positive and prefixing is monotone in A[Fj. We define ^ ~) 

be the Borel sub-probability measure on spec A [T] corresponding by Theorem 
15 to the linear map 

C*(specA[r]) ^ A[Y] ^ K. 

Note the application of Theorem 8 in the above isomorphism. Finally, we observe 
that Equations 5 and 7 guarantee that as defined above, is a sub-probability 
measure. 

In order to state the universal property of ZY[T], we define the notion of a 
zig-zag map [9]. 

Definition 16. Let S,S' he LMPs on exits Y. Suppose that S = and 

S' = {S', d ,p'). A function h: S ^ S' is a zig-zag map ijf 

- Ps,a{h~^{t)) = tih(s),a{t) for all s € S,t € S' and a G Act. 

- Ts{y) = Th(s){y) for all s G S, y G Y. 

The following proposition is proved in [9]. 

Proposition 17. Let S,S' he LMPs on exits Y . A function h: S ^ S' is a 
zig-zag map iff the kernel of h is a hisimulation. 

Next we show how the initiality of A[F] transfers, via Stone duality, to the 
finality oiU\Y]. 

Proposition 18. Let S = {S,i,p) he an LMP on exits Y. Then a function 
h: S ^ spec A[F] is a zig-zag map S -G- IA\Y] iff the dual map h: A[F] -G C*{S), 
where h{f){s) = h{s){f), satisfies 

- li{af){s) = Jgh{f)dps,a, and 

- h{y){s) = ps{y) for all s G S,y G Y. 

Proof (Sketch). The zig-zag condition in Definition 16 says that J{f o h)dps,a = 
f fdfj,h(s),a for all step functions /: S" — >■ K. By linearity of the integral this 
equation holds for all bounded real-valued /; but this transfers through the 
duality to the first equation in the proposition. □ 
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By Remark 13 there is a unique map A[F] — >■ C*{S) satisfying the clauses in 
Proposition 18 — namely the map {—)s from Definition 14. Thus we obtain: 

Theorem 19. IA\Y] is final in the category whose objects are LMPs on exits Y 
and whose morphisms are zig-zag maps. 

In conjunction with Proposition 17, the finality of U\Y] implies that the relation 
of bisimilarity on a given LMP 5 : X — >■ F is the kernel of the unique zig-zag 
map to U\Y], By definition, this map sends the entry state labelled by a; G X to 
the character Sx- Thus we obtain: 

Corollary 20. Two LMPs S,T'. X ^ Y are bisimilar (cf. Definition 3) iff 
Sx = Tx for each x € X . 

In particular, 5 : X — >■ F is represented up to bisimilarity by the X-indexed set 
{Sx)x£X of characters of A[F]. 

8 An Iteration Theory of LMPs 

The notion of an iteration theory arises by extending a Lawvere algebraic theory 
with an iteration operation on maps. In particular, an iteration theory is a cate- 
gory with finite coproducts. The iteration operation takes a map (p: X ^ X -\-Y 
to a map X — >■ F, and is required to satisfy certain equations like the Elgot 
fixed point identity, the Bekic (pairing) identity and the group identities [5]. 
Flowchart algorithms, regular and context-free languages, synchronization trees 
and Floyd-Hoare logic have all been formalized in the setting of iteration theories 
(see [5]). 

In Section 3 we presented the raw material for an iteration theory of LMPs; 
in particular we defined composition, tupling, probabilistic choice and iteration. 
In this section we show that one obtains an iteration theory from these operations 
by considering LMPs modulo bisimilarity. We present this iteration theory via 
a duality with a category of C'*-algebras and maps we call factorizations. In 
particular, we show that LMPs are dual to factorizations, and iterating LMPs 
is dual to taking fixed points of factorizations. 

For each x G X the projection tTx : A[X] — >■ R is the ring map defined by 

nx(af) = 0 and nx(x') = | J (9) 

(Recall from Remark 13 that to define a C*-algebra map with domain A[X] it 
suffices to show how to interpret prefixing and variables in the target.) Note that 
TTx G spec A[X] is the spectral counterpart to the LMP x: 1 — >■ AT in Section 3 ac- 
cording to the representation of Corollary 20. Given a ring map ip: A[F] — >■ A[X], 
the components of p are the characters px = tTx ° p ' A[F] — >■ R, a; G X. 
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Definition 21. A (tree) factorization is a ring homomorphism p: A[K] — >■ A[X] 
satisfying the following relations: 

g}{af) = a<p{f) + ^ <Px(a/) • a; 

x^X 

A factorization is completely determined by its components. In particular, 
given an A-indexed family {tpx)xex in specA[y], the above equations uniquely 
define a factorization (p : A[y] — >■ A[A]. To explain the terminology, note that 
a factorization sends a trace tree r G T[F] to a linear combination of all those 
trees in T[A] from which r may be obtained by substituting trees for leaves (see 
the following example). 

Example 22. Let a,b,c £ Act and X = {a;}. A factorization A — >• A[A] maps 
• c to a linear combination of the trees x ■ x, x ■ c, ax ■ x, ax ■ c, ab- x and ab ■ c. 



Definition 23. The category Fact is the subcategory of CRng with objects the 
C* -algebras A[A], where X is a finite set, and morphisms the factorizations. 
Henceforth we simply take the objects of Fact to be the finite sets. 



Proposition 24. Fact has finite products. 

Proof (sketch). Given finite sets X and Y, the span X X -\-Y T is a 
binary product, where tti : A[A + T] — >■ A[A] is the factorization defined by 



7!-i(a/) 



a7Ti(/) and 



J 7Ti(a;) = X X £ X 
\ T^ily) = 0 y£Y 



and 7T2 : A[A + T] — >■ A[T] is the factorization defined by 



7^2(0/) 



a7T2(/) and 



f X2(x) = 0 X £ X 
\^ 2 (y) = y y£Y. 



□ 



Proposition 25. Each homset Fact(A, Y) is a pointed dcpo in the following 
partial order: (p ^ if iff p{t) ^ ifir) for each trace tree r G A[A]. 



Proof. Recall two standard results about a C'*-algebra A. First, the partial order 
is a closed subset of A x A, and second, the closed unit ball {/ G A : ||/|| < 1} 
is compact in the norm topology. 

Now let be a directed set in Fact(A, Y). Given r G A[A] we have that 

II¥>^'=Ht)IKI|t|Ki since all ring maps are non-expansive. By compactness of 
the unit ball in A [A], the net has a limit point in the norm topology on 

A[y]. By the closedness of the partial order on A[T] it easily follows that this 
limit point is in fact a supremum. We define a factorization p: A[A] — >■ A[F] by 
specifying its values on trace trees: p{t) = [J^ Then p is the supremum 

of the family by construction. 

Define the factorization Yxy ■ A — >• F by Txv(a/) = af and ±xy{x) = 0 
for all X £ X. Then Yxy is least in Fact(A, F). □ 
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Proposition 26. Composition in Fact is jointly continuous: 

o^) and = y^(xo(^W), 

for any directed family : X ^ Y , ip: W ^ X and X' ^ Z. 

Moreover composition is left-strict in that -Lyz o (p = J-xz for p: X ^ Y. 

Proof. Since limits of directed sets in the unit ball of a C*-algebra are also limits 
in the norm topology, they are preserved by any ring map. □ 

We use the dcpo-enriched structure of Fact in a standard way (see [5, Chap- 
ter 8]) to define a dagger operation taking a morphism <p: X + Y ^ X to & 
morphism tpl ' Y X (think of parameterized fixed point) . The dagger opera- 
tion satisfies the Elgot fixed point identity = i^o ((/jijidy) (where the angled 
brackets refer to product tupling in Fact). 

Definition 27. Given a factorization p: X + Y X, the iterate ipC y X 
is defined to be |J^ where = Zyx and = p o (i^^^^idy). 



8.1 Duality between LMPs and Factorizations 

Recall that an LMP S: X ^ Y is determined up to bisimilarity by the X- 
indexed set (Sx)xex, where Sx G spec A[F] gives the behaviour at the entry point 
X G X. But, by the remarks following Definition 21, this X-tuple of characters 
also determines a factorization, which we denote S : A[F] — >■ A[X]. We regard S 
as the dual of S (note the reversal of direction). Each factorization is the dual 
of some LMP and this duality is faithful up to bisimilarity of LMPs. 

Proposition 28. Given LMPs S,T : X ^ Y, S = T iff S andT are bisimilar. 

The following proposition shows that composition of LMPs corresponds to 
functional composition of factorizations. 

Proposition 29. Given LMPs S\ X ^Y and T: Y ^ Z, {S ^ T)T = S oT. 

Proof (sketch). The key is to show how P acts as a ‘predicate transformer’. In 
particular, given x G X, one shows by structural induction on f G K\Z] that 

{s^,ruf) = Sx{f{f)). □ 

Iteration of LMPs and fixed points of factorizations also correspond via 
the duality. A nice consequence of this is the fact that the iteration theory 
identities for the dagger operation on LMPs all follow by virtue of the standard 
construction used in Definition 27 (see [5, Chapter 8, Theorem 2.15]). The reader 
may compare with the proof in [4] that, modulo bisimilarity, terms in a calculus 
for regular probabilistic processes form an iteration theory. 

Proposition 30. IfS:X^X-\-Y is a LMP then (5^]T = (5)C 
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9 Summary and Future Work 

In programming and semantical frameworks, there are usually many different 
ways to represent the same computational behaviours. In concurrency, canonical 
representatives of the equivalence classes of bisimilar processes are represented 
as elements of final coalgebras, often constructed in categories of domains. The 
applicability of such theories hinges on convenient representations of those el- 
ements. The final coalgebra capturing LMPs has been described in [7]. The 
domain-theoretic treatment is in [11,8]. However the issue of represent ability 
had so far not been tackled. In the present paper, a method for obtaining canon- 
ical representatives of LMPs has been presented. Their states are represented as 
simple monoid homomorphisms. The simplicity of this representation supports 
hope for a wider practical applicability of the LMP model. 

Our application of Stone duality for C*-algebras to derive canonical repre- 
sentatives of LMPs is an instance of a general approach to representing com- 
putational behaviours by lifting dualities, and adjunctions. A detailed account 
of this general framework, with applications to other computational structures, 
will be described in forthcoming work. 

Unlike the papers [9,11,8] we have not emphasized the measure-theoretic 
aspects of LMPs, but instead focused on the discrete case. As we already said, 
the idea was to communicate the essential concepts with the minimum overhead. 
However, another reason for this policy is that treating LMPs at the level of 
measurable spaces sits rather uneasily with the assumption of finite sets of entry 
and exit points. This suggests that an interesting direction for further work would 
be to allow the domain and codomain of an LMP to be measurable spaces. This 
would yield a category of measurable spaces and LMPs. It would be interesting 
to compare such a category to the category of probabilistic relations studied in 

[3]. , , . , , 

Finally, we intend to investigate connections between our representation of 
LMPs and the notion of formal tree series [12]. 
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A Semiring Facts 

Let denote the semiring of nonnegative reals with the usual addition and 
multiplication, and with oo adjoined. In this semiring we have oo • 0 = 0 • oo = 0 
and oo-|-a = a + oo = oo. Let Mat denote the semiring of matrices over 
This semiring is w-complete (it has countable sums), so there is a Kleene-* 
operation given by A* = 

Proposition 31. Let A be an n x n matrix and B an nx p matrix in Mat 
If [A B] is a sub-stochastic matrix, i.e. the entries on each row have sum no 
greater than 1, then A*B is a sub-stochastic matrix. 
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Abstract. This paper compares the expressiveness of ambient calculi 
against different dialects of the pi-calculus. Cardelli and Gordon en- 
coded the asynchronous pi-calculus into their calculus of Mobile Ambi- 
ents (MA). Zimmer has shown that the synchronous pi-calculus without 
choice can be encoded in pure (no communication) Safe Ambients. We 
show that pure MA without restrictiou has symmetric electoral systems, 
that is, it is possible to solve the problem of electing a leader in a sym- 
metric network. By the work of Palamidessi, this implies that pure MA 
without restriction is not encodable (under certain conditions) in the pi- 
calculus with separate choice. We adapt the work of Carbone and Maffeis 
to show that pure MA caunot be encoded (under certain other condi- 
tions) into the pi-calculus with mixed choice (but without matching). 



1 Introduction 

The TT-calculus [16] has acquired a fundamental role in modelling concurrent 
systems. In particular, the name-passing paradigm, on which the 7r-calculus is 
based, has proven to be a powerful and simple framework for describing dif- 
ferent scenarios appearing in concurrency. Although the tr-calculus remains a 
cornerstone within the panorama of process calculi, there has been the feeling 
that explicit constructs are needed for modelling the impressive and fast-growing 
reality of the Internet. 

In recent years many calculi [10,22,8] have been proposed in order to rep- 
resent locations, code mobility, abstract domains and security, which seem to 
be the main features of computation over the World Wide Web. Cardelli and 
Gordon introduced Mobile Ambients (MA) [7] as a foundational calculus for 
representing distributed computation, mobility in terms of software and hard- 
ware moving around, authorisation control etc., i.e. phenomena present over 
the Internet. The main advantage of MA is the simple underpinning unifying 
concept of ambient. Ambients are meant to represent bounded places for com- 
putation such as: concrete locations, concrete domains, abstract domains, laptop 
computers. Ambients move into and out of other ambients bringing along mov- 
ing code, static processes and possibly other ambients. Due to its simplicity 
and power MA has been enormously successful (we refer to the ambient web- 
page: xdguan.freezope.org/wiki/AmbientCalculiOnline); moreover MA has been 
perceived as a fundamental calculus for representing different issues over the 
Internet, such as policies, security issues, etc. 
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Of course, the scientific community has been very interested in the compari- 
son between these two fundamental process calculi. A basic issue is the extent to 
which the 7r-calculus (or any of its dialects) can be encoded into MA (or any of its 
dialects, which we refer to as ambient calculi). The asynchronous 7r-calculus [11, 
3] (a fragment without the choice operator, and with no continuation for the 
output) has been encoded into MA with the use of the latter’s communica- 
tion primitives [7]. The asynchronous 7r-calculus has also been encoded into the 
Push and Pull ambient calculus (PAC) [19]. As far as pure ambient calculi (i.e. 
calculi without communication) are concerned, Zimmer [23] has encoded the 
synchronous rr-calculus without choice into pure Safe Ambients (SA) [13]. These 
encodings imply that ambient calculi are at least as expressive as the rr-calculus 
(without choice). Of course, this poses the question of whether MA (or any of 
its dialects) can be encoded in any of the dialects of the 7r-calculus. This paper 
directly addresses this issue, which has been an open question among ambient 
calculi researchers. 

A seminal result on expressiveness for the 7r-calculus is due to 
Palamidessi [18], who established that the 7r-calculus with mixed choice (i.e. 
where the summands in a choice can be a mixture of inputs or outputs) is strictly 
more expressive than the 7r-calculus with separate choice (i.e. where the sum- 
mands must be all inputs or all outputs) . In this paper we prove that a fragment 
of MA without restriction, communication primitives and the open capability 
is not encodable in the 7r-calculus with separate choice. Following Palamidessi, 
we achieve this using the problem of electing a leader in a symmetric network 
(symmetric leader election, or SLE). 

For the 7r-calculus case mixed choice is crucial for writing a program that 
solves SLE. Choice is not present as a primitive construct in the ambient 
world. Nevertheless, mobility in MA has the power of pre-emption — of inhibit- 
ing alternatives — even though it cannot remove alternatives completely, as can a 
choice operator. This pre-emptive power is enough to break symmetry and elect 
a leader. More precisely, in standard MA with subjective movement (where am- 
bients move themselves) we show that it is exactly the in capability which breaks 
symmetry. By contrast, in MA with objective movement (where ambients are 
moved from outside) there is no power to break symmetry, and so SLE cannot 
be solved. 

Certainly in this framework results crucially depend on the definition of 
encoding. If the criteria for an encoding are too strong, then negative re- 
sults are meaningless. If the criteria are too weak, nearly every function be- 
tween languages can be viewed trivially as an encoding. In this paper we con- 
sider encodings which are “distribution-preserving”, “permutation-preserving” 
and “observation-respecting”, very much following the same criteria as in [18]. 
“Distribution-preserving” means preserving parallel composition in the encod- 
ing, to the end of avoiding that the translation makes use of third parties. 
“Permutation-preserving” means that the encodings are well-behaved with re- 
spect to bijective renamings. “Observation-respecting” means that processes are 
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distinguished if they differ on the observable properties of their maximal com- 
putations. These criteria will be made more formal in Section 3. 

With a different notion of encoding, Carbone and Maffeis [6] show that the 
matching operator is a primitive in the 7r-calculus and cannot be encoded. They 
require that encodings preserve non-injective substitutions and not just permu- 
tations of names. In this paper, we show that in pure MA the matching operator 
is not a primitive. Nested locations and restriction allow one to encode faithfully 
the behaviour of the matching operator. Moreover, with much the same criteria 
on encoding as used by Carbone and Maffeis, we can show that pure MA is not 
encodable into the 7r-calculus with mixed choice but without matching. 

Although this paper deals mostly with MA, the results can be extended to 
PAC and SA. For the details we refer to [21]. 

The rest of the paper is organised as follows: in Section 2 we present the 
preliminaries for the 7r-calculus and MA; in Section 3 we look at electoral systems 
for the two calculi, and thereby obtain separation results; in Section 4 we consider 
the matching operator and obtain further separation results; conclusions follow. 



2 The Calculi 

2.1 The 7T- Calculus 

We briefly review the basics for the standard 7r-calculus with mixed choice •Km 
[16,15,20]. We shall assume the existence of an infinite set J\f of names, ranged 
over by m, n,x,y, . . . and other lower-case letters. The set of processes of is 
given by the following grammar: 

P,Q ::='^ai.P \ \P \ P \ Q \ {vn)P a ::= m{n) \ fn{n) \ t 
iei 

where / is a finite set. A summation process ca-Pi represents a choice 
among the different processes ai.P; 0, the inactive process, is an abbreviation 
for a summation where / = 0. We shall feel free to omit trailing Os. Input on 
channel m, m{n).P, can be thought of as a channel m that is waiting for an input 
before acting as P; the name n is bound. Output m{n).P can be seen as name 
n sent over channel m before acting as P. r is the silent action. Replication \P 
simulates recursion by spinning off copies of P, P j Q is the parallel composition 
of two processes, and {i'n)P (restriction) creates a new private name n in P. 

The set fn(P) of free names of a process P is defined in the standard way, 
taking into account that the binding operators are restriction and input. We 
deem processes to be syntactically equal (=) if they are the same up to alpha- 
conversion of bound names. Structural congruence = is the least congruence 
generated by the following laws: 

P 1 0 = P (nn)0 = 0 

P \ Q = Q \ P (vm)(vn)P = (vn)(iym)P 

(P \ Q) \ R = P \ (Q \ R) (vn)(P \Q) = P \ (vn)Q if n ^ fn(P) 

!P = P 1 !P 
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together with reordering of summations. We shall write n for a set of restricted 
names {rzi, . . . , nfc}. The reduction relation — >■ is defined as follows: 

T.P + S' -)> P RED TAU 

{n{x).P + S) I {fi{y).Q + T) -)> P{y/x} \ Q red comm 

P ^ P' P \ Q ^ P' \ Q RED PAR 

P ^ P' {vn)P — )■ {vn)P' RED RESTR 

P = Q ^ Q' = P' P ^ P' RED CONG 

In the above we let S,T range over summations. The notation P{y/x} means 
the substitution of y for every free occurrence of x in P. We write — for the 
transitive and reflexive closure of — 

A process P exhibits barb n, written as P n, iff 

P=(i.p)((n(<?).P' + S) |P") 

with n ^ p. These barbs represent the most basic observations that we can make 
of processes. We only consider output barbs; input barbs are not needed, and by 
omitting them we obtain greater uniformity with MA. A process P eventually 
exhibits barb n, written P IJ. n, iff P — » Q and Q I n for some Q. If P I n we 
say that n is a strong barb of P, and if P IJ. n we say that n is a weak barb of 
P. We define P IJ. iff there is some n G Af such that P IJ- n. 

The TT-calculus with separate choice tTs [17] is the sub-calculus of where 
summations cannot mix input and output guards. The grammar is the following: 

::= m(n) | r ::= m{n) \ r 

P,Q::=^a[.P | ^a?.P | !P | P | Q | (pn)P 

iei iei 

One could regard as having the same expressive strength as the asynchronous 
TT-calculus [11,3], since tTs can be encoded in asynchronous 7r-calculus [17]. 

2.2 Mobile Ambients 

As in the 7r-calculus, we assume the existence of a set J\f of names. The processes 
of MA [7] are given by the following grammar: 

P,Q::=0 I !P I P|Q I (pn)P | n[P] | M.P | (n).P | (n) 

Intuitively 0 stands for the inactive process; we shall feel free to omit trailing 
Os and write empty ambients as n[ ] rather than n[0]. n[P] is the ambient n 
containing the active process P and M.P is process P guarded by capability M. 
Here M is defined in the following grammar: 

M ::= inn | outn | open n 

The meaning of the capabilities is intuitively the following: open n dissolves an 
ambient with name n; in n allows an ambient to enter another ambient named n; 
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finally out n allows an ambient to exit its own parent named n. The anonymous 
communication primitives are: {n).P will input any message in the top-level 
ambient, and (n) is an output with no continuation. This form of communication 
is more limited than in standard MA [7], where sequences of capabilities can be 
passed; we have adopted this formulation for simplicity. The other operators 
have the same meaning as in the 7r-calculus. 

The free names fn{P) of P are defined in the standard way, taking into 
account that the binding operators are restriction and input. Processes are syn- 
tactically equal (=) if they are identical apart from alpha-conversion of bound 
names. Structural congruence = is defined as for the 7r-calculus with one extra 
rule: 

{vrn)n[P] = n[{vrn)P] if n yf m 
The reduction relation — >■ is defined as follows: 



m[in n.P \Q] | n[i?] 
n[m[outn.P | Q] | P] 
open n.P | n[Q] 
{m).P I (n) 
P ^ Q 
P ^ Q 
P ^ Q 
P = P' ^Q' = Q 





n[m[P I Q] I i?] 
m[P \Q]\n[R] 

P\Q 

P{n/ni} 
P\R^Q\R 
n[P] ^ n[Q] 
{vn)P — >■ {vn)Q 
P ^ Q 



RED 

RED 

RED 

RED 

RED 

RED 

RED 

RED 



IN 

OUT 

OPEN 

COMM 

PAR 

AMB 

RESTR 

CONG 



Again, — stands for the symmetric and transitive closure of — >■. 

The most basic observation we can make of an MA process is the presence of 
an unrestricted top-level ambient. A process P exhibits barb n, written as P I n, 
iff P = {iyp){n[P' ] I P") with n ^ p. As for the 7r-calculus, we define weak barbs 
by P U- n iff P — Q and Q I n for some Q. We define P IJ. iff there is some 
n £ Af such that P IJ. n. 

We shall be interested in certain fragments of MA. By MA'° we mean pure 
MA without restriction and the open capability. Finally we denote MA with all 
operators except the in capability by MA”'". 



3 Electoral Systems 

Expressiveness results have positive aspects, where encodings are given. However, 
one can also show that some encodings do not exist. One way of proceeding is to 
show that there is a problem that can be solved in one calculus, but not in the 
other. We have been inspired by Palamidessi’s work on expressiveness results 
for the TT-calculus [18]. In order to separate the 7r-calculus with mixed choice 
from the 7r-calculus with separate choice, Palamidessi considers the symmetric 
leader election problem (SLE). The idea is that, given a symmetric network, 
a leader has to be elected without the help of a centralised server. Symmetry 
means informally that all the processes in the network can perform the same 
actions up to some kind of renaming. This kind of problem is widely studied 
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in the literature of distributed computing [14,2] and process algebra [1,4,9,18]. 
Problems are categorised by the topology of the network and the way in which 
the winner is declared. A network could be a ring or a fully connected graph, 
while the winner could be announced by one process only, or by all the processes. 
Palamidessi has shown that a symmetric network in the 7r-calculus without mixed 
choice cannot solve the problem of electing a leader in a guaranteed fashion. The 
idea of the proof is that the symmetry of the network need never be broken. 

We present electoral systems for both the 7r-calculus and MA. We will then 
show that MA'° can indeed solve the leader election problem, which is sufficient 
to separate MA from the 7r-calculus without mixed choice. 



3.1 Networks and Electoral Systems 

In this section we define networks and electoral systems. These notions are gen- 
eral enough to be applied to any name-based calculus whose operational seman- 
tics is defined in terms of a reduction relation. Hence the definitions below apply 
equally well to the ambient calculus and to the 7r-calculus. 

We assume that we are dealing with some generic process calculus with a 
set M of names, restriction and parallel composition operators, and notions of 
structural congruence =, reduction — >■ and barb I- 

We assume that Af includes a set of observables Obs = {uji : i G IM} such that 
for all i,j we have tVi yf tVj if i yf j. The observables will be used by networks to 
communicate with the outside world. 

Definition 1. Let P be a process. A computation C of P is a (finite or infinite) 
sequence P = Pq ^ Pi ^ It is maximal if it cannot be extended, i.e. either 
C is infinite, or else it is of the form Pq ^ ^ Ph where Ph y^. 

Definition 2. Let C be a computation Pg — >■ ••• — >■ Ph — >■ •••. We define the 
observables ofC as Obs(C) = {w G Obs : 3h Ph i w}. 

Our definition of computation is different from Palamidessi ’s. She uses labelled 
transition systems, while we use unlabelled reduction relations (i.e. r-actions). 
This seems appropriate for the ambient world, where the intended semantics is 
defined in terms of a reduction relation and there is no agreement within the 
scientific community about a good labelled transition system. It also works well 
for the TT-calculus. 

Networks are just collections of processes running in parallel: 

Definition 3. A network Net of size k is a process in the form {i'x){Po | . . . | 

Pk-i). 

Networks inherit a notion of computation from processes; we do not assume that 
a network reduces to a network (although in fact every process is a network of 
size 1 in a trivial sense) . In particular, we do not require that a network maintains 
its size during a computation. This would be too restrictive, as will become clear 
when we consider electoral systems in the ambient calculus. 
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A permutation is a bijection a : Af ^ Af such that a preserves the distinction 
between observable and non-observable names, i.e. n G Obs iff cr(n) G Obs. Any 
permutation a gives rise in a standard way to a mapping on processes, where 
cr(P) is the same as P, except that any free name n of P is changed to cr(n) in 
a(P), with bound names being adjusted as necessary to avoid clashes. 

A permutation a induces a bijection d : IN — >■ IN defined as follows: a(i) = j 
where a{uji) = ujj. Thus for all z G IN, a{u>i) = uJa(i)- We use a to permute the 
indices of processes in a network. 

Definition 4. Let Net = {vx){Pq | ... | Pk-i) he a network of size k. An 
automorphism on Net is a permutation a such that (1) a restricted to {0, . . . ,k — 
1} zs a bijection, and (2) a preserves the distinction between free and bound 
names, i.e. x G x iff a {x) G x. 

Definition 5. Let a be an automorphism on a network of size k. For any i G 
{0, . . . , k — 1} the orbit Oa-{i) generated by a is defined as follows: 

Oa{i) = {i, d(z), CT^(z), . . . , d'*"^(z)} 

where represents the composition of a with itself j times, and h is least such 
that d^(z) = z. 



Definition 6 (Symmetric Network). [18] Let Net = {ux){Pq | ... | Pk-i) 
be a network of size k and let a be an automorphism on it. We say that Net 
is symmetric with respect to a iff for each i = 0, . . . ,k — 1 we have Pa{i) = 
u{Pi). We say that Net is symmetric if it is symmetric with respect to some 
automorphism with a single orbit (which must have size k). 

Our definitions of automorphism and symmetric network differ from those of 
Palamidessi. She takes the network topology into account, and associates a 
hypergraph with a network in order to help understanding of the symmetries 
associated with connectivity. Automorphisms are defined with respect to this 
hypergraph, and a network is symmetric if it is symmetric with respect to every 
automorphism. We have chosen our definitions because they seem to capture 
exactly what is needed for our separation results. Connectivity is not an issue in 
the present work — we remark further on this in our conclusions (Section 5). 

Intuitively an electoral system is a network which reports a unique winner 
no matter how the computation proceeds. 

Definition 7 (Electoral system). A network Net of size k is an electoral 
system if for every maximal computation C of Net there exists an i < k such 
that Obs(C) = {coi}. An electoral system is said to be symmetric if the network 
is symmetric. 

Thus each maximal computation gives exactly one winner. It does not matter 
which process in the original network displays the observable barb; indeed, in 
MA this is not even necessarily meaningful, as processes can intermingle using 
movement capabilities. 
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Our definition of electoral system is different from Palamidessi’s. For 
Palamidessi the requirement for an electoral system is that every process in 
the electoral system can execute a special action out{i). In other words everyone 
is aware of the leader. As she states, her results would hold under the alterna- 
tive requirement that exactly one process announces the winner. Our notion is 
weaker, in that we merely require that at least one process announces the winner, 
and it is left open how many processes make the announcement. 



3.2 Calculi with Symmetric Electoral Systems 

The TT-calculus with mixed choice can elect a leader in a symmetric network 
according to Palamidessi’s criteria. It is not difficult to see that admits a 
symmetric electoral system also according to our new and weaker criteria. 

The simplest non-trivial symmetric electoral system is for k = 2: 

Po = xo{y) + ^{z).uJo{z) Pi = xi{y) + ^{z).uJi{z) 



Net = Po I Pi 

The process which performs the output wins. Notice that if we were using la- 
belled transitions we would have to restrict xq and xi globally in order to ensure 
synchronisation; this is not necessary with unlabelled transitions. The network 
is symmetric with respect to a single-orbit automorphism cr which swaps wq with 
oji and xq with xi, with a the identity on all other names. Hence we have: 

Proposition 1. In tt^ there exists a symmetric electoral system of size 2. 

Notice that the link-passing capabilities of the 7r-calculus play no role in the elec- 
toral system given above; it is the mixed choice which is important. Palamidessi 
shows that in there are symmetric electoral systems of size k for every k. 

We now turn to MA. Recall that by MA'° we mean pure MA without restric- 
tion and the open capability. 

Proposition 2. In MA'° there exists a symmetric electoral system of size 2. 
Proof (Sketch). Let 

Net = rio[in ni.Wo[outno.outni ] ] | ni[ in no.wi[out ni.out no ] ] . 

The first process to perform an in wins. Notice that the in capability breaks 
symmetry to decide the winner, while the out capability enables the winner to 
be reported at the top level. □ 



Theorem 1. In MA'°, for any k, there exists a symmetric electoral system of 
size k. 
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Proof (Sketch). For 0 < i < k, let S'f = {0, . . . , i — 1, i + 1, . . . , fc — 1}, i.e. the 
natural numbers less than k excluding i. Let T/' be the set of all strings of length 
k — 1 using the members of Sf exactly once each. Given an element s of Tf we 
denote by s~ the string which is s in reverse order. Let no, ... , Uk-i € Af. With 
in (s) we mean the sequence of in nj capabilities for each successive j G s. 

Pi = n4 inrij | [ in (s).out (s“).out n* ] ] 

jes) serf 

Net I • • • I Pfe_i 

The idea is that the processes that take part in the election can enter one another, 
until they form a linear stack. At this point no further movement of the main 
ambients is possible, and the leader is the ambient rii which is at the top of the 
stack. For some s G Th, an ambient uji can descend to the bottom of the stack 
using in (s), and then ascend to the top of the stack using out (s“) (of course, it 
may start this process before the stack is fully formed). Finally oji uses outui to 
emerge at the top level, and i is declared the winner. Any LOj ambient (j yf i) will 
not be able to use up all its in (s) capabilities, and so will not be able to emerge 
at the top level. Hence, exactly one winner is declared for each computation. As 
in Proposition 2, the in capability breaks symmetry and chooses the winner, and 
the out capability is required to report the winner. 

We thank Sergio Maffeis for suggesting the construction of the electoral sys- 
tem in this proof, which improves our previous construction. □ 

3.3 Calculi without Symmetric Electoral Systems 

In this subsection we show that there are calculi that do not admit a sym- 
metric electoral system. First of all we reestablish within the present framework 
Palamidessi’s result that the 7r-calculus with separate choice (tTs) does not admit 
a symmetric electoral system (Theorem 4.2 of [18]). 

Theorem 2. Let Net be a symmetric network of size k > 2 in tTs- Then Net 
cannot he an electoral system. 

The proof can be found in [21]. Much as in Palamidessi’s proof, the idea is that 
if Net is symmetric we can find a computation which preserves symmetry, so 
that after every k reductions we have again a symmetric network of size k. This 
computation can never declare a unique winner. 

We have shown in Subsection 3.2 that MA'° can solve SLE. We have also seen 
that SLE can be solved in tt^, but not in tt^, so that mixed choice is essential. 
We now show that the in capability of MA'° is required to solve SLE. 

Theorem 3. Let Net be a symmetric network of size k > 2 in MA”'”. Then 
Net cannot he an electoral system. 

The proof can be found in [21]. As in the proof of Theorem 2, the idea is that 
symmetry need never be broken. 
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3.4 Separation Results 

Again inspired by Palamidessi’s work, we are now going to show that there exists 
no encoding from MA into which satisfies certain conditions. 

Definition 8. Let L, L' he process languages. An encoding [[ — ]] : L ^ L' is 

1. distribution-preserving if for all processes P, Q of L, [[P | Q]\ = [[P]] | [[Q]]; 

2. permutation-preserving if for any permutation of names a in L there exists 
a permutation 6 in L' such that [[ct(P)]] = 0([[P]]) and the permutations are 
compatible on observables, in that for all i gM we have cr(oji) = O(oJi); 

3. observation-respecting if for any P in L, 

a) for every maximal computation C of P there exists a maximal computa- 
tion C of [[P]] such that Obs(C) = Obs(C') 

b ) for every maximal computation C of [[P]] there exists a maximal compu- 
tation C of P such that Obs(C) = Obs(C') 

An encoding which preserves distribution and permutation is uniform. 

In the above L and L' can have different sets of names, but they must have the 
same observables Obs. 

The first two items in Definition 8 (i.e. uniformity) are as in Palamidessi. 
The condition of preserving distribution is important in ruling out encodings 
which make use of a central server. The third item requires some comment. 
Bouge [4] defined an encoding as “reasonable” if it maps electoral systems to 
electoral systems. The condition of respecting observations is our interpretation 
of Palamidessi’s requirement of “preserving a reasonable semantics” . She states 
that a reasonable semantics should distinguish processes which differ on the 
observables of their maximal computations. In fact, we only require part (b) 
to ensure that electoral systems are mapped to electoral systems; part (a) is 
added to make the condition more natural. In their version of Palamidessi’s 
work, Sangiorgi and Walker [20] use a condition that if the observables of every 
maximal computation of a process P are singletons, then the same is true for 
the encoding of P. This obviously relates very directly to the need to preserve 
electoral systems. Finally, Ene and Muntian [9] use yet another formulation. As 
it only refers to finite computations, it would not be enough for our purposes. 

Symmetric electoral systems are mapped to symmetric electoral systems by 
encodings satisfying Definition 8: 

Lemma 1. Suppose [[ — ]] : L ^ L' is a uniform observation-respecting encod- 
ing. Suppose that Net is a symmetric electoral system of size k with no globally- 
bound variables. Then [[Net]] is also a symmetric electoral system of size k. 

Proof See [21]. □ 

Recall that the asynchronous 7r-calculus can be encoded in MA. The next result 
shows that the converse fails. 
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Corollary 1. There does not exist a uniform observation-respecting encoding 
from MA'° into 

Proof. By Proposition 2, Theorem 2 and Lemma 1. □ 

Similarly we have: 

Corollary 2. There does not exist a uniform observation-respecting encoding 
from 7Tm into or from MA'° into MA”'". 

3.5 Objective Moves 

Notice that for a symmetric network to be an electoral system there are two 
requirements: 

1. Every computation has to break symmetry. 

2. There must be the possibility of displaying the winner. 

As we saw in Section 3.2, MA has symmetric electoral systems, since it can use 
in to break symmetry and out to help display the winner. However one might 
wonder whether what is really important is the tree structure of ambients, and 
the capability to move up and down within it, as reflected in ambient calculi 
in general. We shall see in this subsection that not every ambient calculus can 
solve SLE, and so the precise nature of the movement capabilities is important. 

We consider a variant of MA with objective moves, which we call MA°'^. This 
was first discussed by Cardelli and Gordon [7]. MA°*’ has two different capabili- 
ties with respect to standard MA. Instead of in n and outn there are mv in n and 
mv outn. We replace red in and red out by the following reduction rules: 

mv inn.P \ n[Q] ^ n[P \ Q] red OBJ-in 
n[mv outn.P \ Q] ^ P \ n[Q \ red obj-out 



Theorem 4. Let Net be a symmetric network of size k > 2 in MA°*^. Then Net 
cannot be an electoral system. 

The proof can be found in [21]. 

Corollary 3. There does not exist a uniform observation-respecting encoding 
from MA'° into MA°*^, or from tt^ into MA°*^. 



Remark 1. Cardelli and Gordon also discuss a variant form of objective moves 
with a reduction rule of the form 

mvminn.P | m[Q] \ n[R] — >■ P \ n[m[Q] \ i?] 

This form of objective move can break symmetry (like standard in). 
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4 Matching 

The matching operator [m = n]P was introduced in [16]. It expresses the compar- 
ison between two names; \m = n]P behaves like P iff the name n is the same as 
m; otherwise [m = n]P is inert. If matching is introduced as a primitive operator, 
structural congruence is augmented with the rule [n = n]P = P. 

In the case of the 7r-calculus (with or without mixed choice) Carbone and 
Maffeis showed that there does not exist a “sensible” encoding of the matching 
operator [6] . They define an encoding to be sensible if it is uniform (Definition 8) 
with respect to substitutions (not just permutations), preserves a reasonable 
semantics, and distinguishes deadlocks from livelocks. 

We shall see that matching can be encoded in MA. We shall adapt the meth- 
ods of Carbone and Maffeis to achieve a separation between pure MA and tt^. 

4.1 The Encoding of Matching 

Let MA^ denote MA with matching. We describe an encoding [[ — ]]^ from MA^ 
to MA. This makes use of the particular semantics of the ambient operator. A 
restricted ambient, invisible to the outside world, can contain processes with free 
variables that produce computation that is visible outside. Below is reported only 
the most important clause of the encoding. For the other operators the encoding 
is homomorphic. 

[[ [m = n]P]]^ = {vx y){x[o^ex\ m.y[outx] | n[ ] ] | open y.open a:.[[P]]^) 

Observe that in general /n([[ [w = n]P]]^) = fn{[m = n]P). If m = n then the 
four steps of the encoding proceed in a deterministic fashion within the scope of 
the restriction, avoiding in this way any form of interference. If m yf n then the 
encoded matching is inert. 

Let L be any process language with notions of reduction and barb. Assuming 
that the notion of context C is defined by following the syntax of P, we define a 
notion of weak bisimulation for reduction semantics. 

Definition 9. [12] A symmetric relation S C L x L is an contextual barbed 
bisimulation if P S Q implies: 

— for each name n, if P f n then Q IJ. n; 

— for any context C, whenever C[P] — >■ P' then for some Q' , 

C[Q\ — » Q' and P' S Q' . 

Two processes P,Q are said to he contextual barbed equivalent (P « Q), if 
P S Q for some contextual barbed bisimulation S. 

The following full abstraction theorem shows that our encoding of matching is 
well-behaved. Let « (resp. «^) denote contextual barbed equivalence on MA 
(resp. MA"^). 

Theorem 5. For all P,Q € MA^, P ks= Q iff [[P]]^ « [[Q]] = - 
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Proof. See [21]. □ 

Matching can be encoded in other ambient calculi; this has been carried out 
for PAG [19], and the above can be easily adapted for SA. 

4.2 Separation Results 

So far we have shown that pure MA without restriction and open is not encodable 
in the 7r-calculus without mixed choice (Corollary 1). We will now show that pure 
MA is not encodable in the 7r-calculus with mixed choice and without matching 
(iTm)- The result has been inspired by [6]. 

Definition 10. Let L, L' he languages. An eneoding [[ — ]] : L ^ L' is 

1. substitution-preserving if for any substitution of names a in L there exists 
a substitution 0 in L' such that [[(t(P)]] = 0([[P]]); 

2. weak barb-respecting if for any P in L, P ]}. iff [[P]] 

The first condition is to be compared with the permutation-preserving condition 
of Definition 8. It is stronger, in that we move from permutations to arbitrary 
substitutions. However we no longer require 0 and cr to agree on observables. 

The second condition of Definition 10 corresponds to the observation- 
respecting condition of Definition 8. The two conditions are incompatible. How- 
ever, if we strengthen the observation-respecting condition by insisting that all 
names are included in the observables, and if we assume that L and L' have 
the same set of names, then we have P fj. iff P has a computation C such that 
Obs(C) yf 0. So in this case observation-respecting implies weak-barb respecting. 



Lemma 2. Take P G and any substitution a. If a{P) fj. then P fj-. 

Proof. Similar to that of Proposition 4.1 of [6]. The result depends on all names 
in J\f being possible barbs. □ 

Lemma 2 is not true for MA. Neither does it hold for matching in 7r-calculus 
(consider a process [m = n]x{y)), and on this is based the proof in [6] that 
matching is not encodable in 

Theorem 6. There does not exist a substitution-preserving and weak barb- 
respecting encoding from pure MA into • 

Proof. Assume there exists such an encoding [[ — ]]. Let cr be a substitution with 
<j{n) = m and all other names unchanged. Let P = (i/r)(r[openn.m[outr] j 
m[ ] ]). We have cr(P) fj. but P There is a substitution 9 satisfying [[cr(P)]] = 
0([[P]]). But since cr(P) fj. we have [[cr(P)]] fj. (weak barb-respecting condition). So 
0([[P]]) f|. By Lemma 2 we have [[P]] fj.. Hence P JJ., which is a contradiction. □ 

Notice that Theorem 6 was achieved without assuming that the encodings 
preserve distribution (Definition 8). 
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5 Conclusions and Further Work 

We have investigated the relative strengths of the 7r-calculus and MA. We have 
used electoral systems to show that MA cannot be encoded in the 7r-calculus 
with separate choice tTs (under certain natural conditions on encodings); the 
other direction is already known to be possible. We have also seen that matching 
can be encoded in MA. We then saw that pure MA cannot be encoded in the 
TT-calculus without matching (under different conditions on encodings). 

We have seen that certain calculi can solve leader election problems in 
the presence of symmetric networks and others cannot. One way to approach 
this in a broader context is to categorise operators in languages as symmetry- 
breaking or symmetry-preserving. In MA entering another ambient is symmetry- 
breaking; however it is symmetry-preserving in objective MA (MA°*^). Similarly 
for the TT-calculus, mixed choice is symmetry-breaking while separate choice is 
symmetry-preserving. As future work, we plan to investigate this difference for 
process languages in general. This would involve defining some sort of format 
that characterises symmetry-preserving operators. 

Another issue is connectivity. In this article all our examples of electoral 
systems are fully connected networks. Palamidessi achieved a separation between 
the TT-calculus and CCS by considering election problems for symmetric networks 
which are connected but not fully connected, e.g. rings. We are working on similar 
results for ambient calculi. 

Finally, we need to consider how this work applies to related languages. From 
Theorem 1 it follows trivially that Boxed Ambients [5] can solve the symmetric 
leader election problem. So should the Seal calculus [22], since the (move in) 
seems to be a symmetry-breaking operator. On the other hand we speculate 
that the pure version of Z?tt [10] cannot solve such a problem. Informally one 
might think that the operator for fiat locations is symmetry-preserving. 

Acknowledgements. We thank Sergio Maffeis, Catuscia Palamidessi and 
Nobuko Yoshida for helpful discussions. We also thank the referees for their 
suggestions. 
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Abstract. The Ap/i-calculus, defined by Curien and Herbelin [7], is a 
variant of the A/r-calculus that exhibits symmetries such as term/context 
and call-by-name/call-by-value. Since it is a symmetric, and hence a 
non-deterministic calculus, usual proof techniques of normalization needs 
some adjustments to be made to work in this setting. Here we prove the 
strong normalization (SN) of simply typed A/r/i-calculus with explicit 
substitutions. For that purpose, we first prove SN of simply typed A/i/i- 
calculus (by a variant of the reducibility technique from Barbanera and 
Berardi [2]), then we formalize a proof technique of SN via PSN (preser- 
vation of strong normalization), and we prove PSN by the perpetuality 
technique, as formalized by Bonelli [5]. 



1 Introduction 

1.1 A/x /I- Calculus and Explicit Substitutions 

The Ajx/i-calculus, defined by Curien and Herbelin [7], is a symmetric variant 
of Parigot’s A/x-calculus [11] that provides a term notation for classical sequent 
calculus. It exhibits symmetries such as terms/contexts and call-by-name/call- 
by-value. Its two main reduction rules form a symmetric critical pair, which 
makes the calculus non-deterministic (non-confiuent) and raises difficulties in 
normalization proofs : a naive definition of reducibility candidates would fall in 
a symmetric loop of mutual induction. 

On the other hand, calculi with explicit substitutions were introduced [1] 
as a bridge between A-calculus [6] and concrete implementations of function- 
nal programming languages. Those calculi intend to refine the evaluation pro- 
cess by proposing reduction rules to deal with the substitution mechanism ~ a 
meta-operation in the traditionnal A-calculus. In the study of those calculi, an 
important task was to establish good properties such as: 

• Simulation of (3 reduction, which says that a term that can be reduced to 
another in the traditionnal A-calculus can also be reduced to the same one 
in the calculus with explicit substitutions. 

• Confluence, which says that whatever reduction strategy you choose, you 
can always find a common reduct. 
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• Preservation of strong normalization (PSN), which says that if a term is 
/3-strongly normalizing {i.e. cannot be infinitely reduced), it is also strongly 
normalizing with respect to the calculus with explicit substitutions. 

• Strong normalization (SN), which says that, with respect to a typing sys- 
tem, every typed term is strongly normalizing in the calculus with explicit 
substitutions. 

It was remarked, at once, that explicit substitutions raises more difficulties 
in normalization proofs, due to the fact that reductions can now take place 
in an argument substituted in a term to a variable which is not free in that 
term. Such reductions produce no trace in the original calculus, because the 
substitution is bounded to disappear. Therefore we cannot easily infer SN for 
explicit substitutions from strong normalization of the original calculus. 



1.2 The A/x/i-Calculus with Explicit Substitutions: A/xpx 

Here we work on A/x/ix, an explicit substitutions version “a la” Ax [4] of the 
A/i/i-calculus. Its syntax was introduced in [9] and, in the same paper, there 
was an attempt to prove strong normalization of the deterministic call-by-name 
fragment directly by the reducibility technique. Unfortunately, the technique did 
not work so nicely, and the proof of a key lemma (Weakening lemma) turned out 
to be bugged... We keep this technique for the pure calculus {i.e. without explicit 
substitutions), and, in order to lift it to the symmetric calculus, we adjust it like 
Barbanera and Berardi did for their symmetric A-calculus [2]. We will see that 
reducibility sets constructed by fixed point ensure that their definition will not 
fall in the symmetric infinite loop of terms defined by contexts and vice versa. 

To prove SN, we formalize a technique initially suggested by Herbelin, which 
consists in expanding substitutions into pure A/x/2-redexes and to inherit SN of 
the whole calculus by SN of the pure calculus and by PSN. 

Finally, to prove PSN, we use the perpetuality technique, as formalized by 
Bonelli [5]. The main point of this technique is to exhibit a strategy wich pre- 
serves infinite reductions. This together with some material to trace the substi- 
tutions backwards, allows us to establish PSN by contradiction. 

In the sequel, we will note SAf r for the set of strongly normalizing terms in 
the calculus R. We will use FV (t) to denote the set of free variables of t, defined 
in the usual way. 



1.3 Organization 

We first present the (simply typed) A/x/2-calculus and we prove SN by the re- 
ducibility technique (section 2). In section 3, we use the perpetuality technique 
to establish PSN. Section 4 formalizes the proof technique of SN via PSN, and 
gives the material to use it for Finally, we give the proof of SN of A/x/xx 

in section 4.3. 
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2 The A^i/i-Calculus and Its Strong Normalization 

We first recall the definition of the A/x/i-calculus, then we define reducibility sets 
and finally we establish strong normalization of the pure calculus. 

2.1 Definition 

There are three syntactic categories: terms, contexts and commands, respectively 
noted u, e and c. We take two variable sets: Var is the set of term variables, 
noted X, y, z etc. ; Var-^ is the set of context variables, noted a, P, etc. We will 
note t an object, i.e. one of v, e or c. The syntax of the A/r/i-calculus is: 

c ::= (w|e) 

V ::= X I Xx.v \ e ■ v \ ya.c 
e ::= a \ aX.e | u • e | Jlx.c 

Reduction rules are given below. The rules (/i) and (jl) form a critical pair: 

(/?) {Xx.v\v' ■ e) — >■ {v'\ilx.{v\e)) 

(/?) (e' • v\aX.e) — >■ {ixa.{v\e)\e') 



(m) 


{/j,a.c\e) — >■ c[e/a] 




(m) 


{v\]lx.c) — >■ c[v/x\ 




(su) 


fjLa.{v\a) — >■ V 


if a ^ BV (v) 


(se) 


]lx.{x\e) — >■ e 


if X ^ BV{e) 



Types are usual simple types plus the minus type A — B which is the sym- 
metric counterpart of the arrow type A ^ B, its meaning is A and not B. We 
work here in classical sequent calculus, with a notation to exhibit a formula in a 
sequent: T h A|Z\ is the same sequent as B \- A, A but the formula A is exhibited 
as active formula. For further details about this framework and the isomorphism 
with objects of the A^/i-calculus, see [7]. 

Three sequent forms are used to type the syntactic categories: the commands 
are typed by (T h A), the terms by T h A\A and the contexts by B\A h A. 
Here are the typing rules: 

c: {r,x : Ah A) B h v : A\A B\e:AhA c : {B h a : A, A) 

B\Jlx.c : A\- A {v\e) : {B h A) B \- ya.c : A\A 

B\a : A h A, a : A B,x:Ah A\x : A 

Ble:Bha:A,A B, x : A h v : BjA 

BjaX.e :A-BI-A B h Xx.v : A ^ BjA 



B\-v:A\A B\e:B\-A 
B\v ■ e : A ^ B \- A 



B\-v:B\A B\e:A\-A 
Bhe-v:A-B\A 
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2.2 Reducibility Sets 

We simultaneously define, by induction of the type structure: 
— the operators: 



Lambda{Xi, X2) 


= Def 


{Xx.v 


Vu' 


e Xi,e e X2 {v[v 


'/x]\e) 


G 


HI 


Cons{Xi,X 2 ) 


= Def 


{u-e 1 


V G 


Xi and e G X2} 








Lambda{Xi, X2) 


= Def 


{aX.e 


Ve' 


G Xi,v G X2 {v\e 


[e'/a]) 


G 


HI 


Cms{Xi,X 2 ) 


= Def 


{e-v \ 


e G 


Xi and V G X2} 








Mu{X) 


= Def 


{fia.c 


Ve 


G X c[e/ a\ G |l-]} 








Mu{X) 


= Def 


{Jlx.c 


Vu 


G X c[v/x] G |h]} 









Remark 1 . Mu and Mu are decreasing operators: the greater X is, the lesser 
one can find faa.c's (resp. Jix.c’s) that normalize against all e in X. 

Then 

• if ^ is atomic 

^egn-AjiY) = VarU Mu^) 

= Var^ U Mu{X) 

• if j 4 . = — y A2 

Neg^j^jq{Y) = VarU Mu{Y) U Lambda{l\- Ai], |A.2 l~]) 
Neg^AhjW = Var-'- U Mu{X) U Cons{{\- Aij, IA2 h]) 

• if A = Ai — A2 

Negi^^Aj(X) = Var\J Mu{Y) U Cons(lAi h], |l- yl2]) 

Negi^Ahji^) — U Mu{X) U Lamhda{\Ai h], |l- A2]) 

Since Mu and Mu are decreasing operators, Neg is also a decreasing operator. 
So Neg^^-A] ° is an increasing operator, and by Tarski’s theorem it 

has a fixed point Xq ; 

— the reducibility sets: 

and 

||-yl]=Xo and lA\-j = Neg^A\-j{Xo)■ 
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Proposition 1 (Good definition). The reducihility sets defined above satisfies 



either v = x 

or V = e ■ v' with A = Ai — A2, 
e G {Ai h] and v' G |l- ^ 2 ! 
orv = iia.c and 

Ve G {A h] c[e/a] G |l-] 
orv = Xx.v' with A = Ai ^ A2 and 

W' G |h Ai],e G IA2 h] {v'[v"/x]\e) G |h] 
either e = a 

or e = V ■ e' with A = Ai A2, 
u G |l- ^ 1 ] and e! G IA2 h] 
or e = Jlx.c and 

Vu G |l- 7 l] c[v/x] G |l-] 
or e = aX.e' with A = Ai — A2 and 

Ve" G lAi h],?; G |h A2] (v|e'[e"/a]) G |h] 

Proof. From the definition of the reducihility sets, we have |l-] = and 

the points (i) and (ii). We prove the points (iii) and (iv). Due to the symmetry, 
it suffices to prove (iii). 

f G |F A] 4=^ V G Neg^^J^J o Neg^Ahlil^ ^D- 

We then consider the different shapes of A and we inline the corresponding 
definition of Neg^^^j o Neg^Ahjil^ ^D- 

2.3 Strong Normalization 

Here are the two traditionnal lemmas of strong normalization of the reducihility 
sets (RS) and closure hy reduction. 

Lemma 1 (SN of RS). Let A be a type. Then |l- H] C (1), {A h] C 

(2) and [hi C (3). 

Proof. By induction on the structure of A. 

1 . We consider the different forms of v G [h H] : 

— V = x: then v G 

— V = e ■ v': then A = Ai — A2 and we conclude hy using the induction 
hypothesis twice. 

— V = fia.c: hy the point (ii) of proposition 1, a G h], then, hy the point 
(iii) of proposition 1, c[o;/a] G [h], that gives us c G [h](= SAfj^p). We 
then have fia.c G 

— V = Xx.v' , then A = Ai ^ H 2 : to get v G we need v' G ~. 

By reducihility of Xx.v', we have Vw" G |h Hi], e G [H 2 h] {v'[v"/x] \e) G 
|h](= By the points (i) and (ii) of proposition 1, we can take 

X for v" and a for e, and that gives us (w'[a:/a;]|Q;) G SAfj^~. We deduce 
v' G and conclude. 



(i) Var C |h H] 

(ii) Var-^ C |H h] 

(iii) V G [h H| 4 =^ 



(iv) e G [H h] 
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2. The proof for e is similar to the proof for v by symmetry. 

3. By definition |l-] = 

Lemma 2 (Closure by reduction). 

1. r' G |l“ A], V ^ v' => v' G |l- A]. 

2. e G |A h], e e' ^ e' G |A h], 

3. c G |l-] , c ^ c' c' G |l-] . 

Proof. By induction on A, considering the different shapes of v, e, and c. 

1.1. V = x: then no more reduction can occur. 

1.2. V = 6i ■ vi: we must consider two possible reductions ei ■ vi — >■ C 2 • v\ or 
Cl • fi — >■ 6i • V 2 - In either case, we conclude by induction hypothesis. 

1.3. V = /io.c: we consider the following two cases. 

— The reduction is jxa.c — >■ jjLa.c' . By definition of /io.c G |l- A] we have 
Ve G \A h] c[e/a] G Then we get c'[e/a] G (always for 

any e G |4l h]) and we conclude with the point (iii) of proposition 1. 

— The reduction is iia.{v\a) — >■ v with a ^ FV{v). We know by hypoth- 
esis that ija.{v\a) G |l- ^], then, by the point (iii) of proposition 1, 
Ve G 1^ hi {v\a)[e/a\ G i.e. (w|e) G If u is a vari- 

able, then we conclude immediately, if u = /i/3.c, (/r/3.c|e) G 
implies that c[e/f3] G which gives us /x/3.c G |h A] by the 

point (iii) of proposition 1. If w = Xx.v', {\x.v'\e) G gives us, 

for e = vi- ei, {vi\Jlx.{v'\ei)) G then (u'|ei)[ui/4 G 

and {v'[vi/ x\\ei[vi/ x\) G and finally, since x is not free in ei, 

(v'[ui/a;]|ei) G which is enough, by the points (iv) and (iii) of 

proposition 1, to conclude. 

1.4. V = Xx.v' : A = Ai —>■ A 2 and the reduction is Xx.v' —>■ Xx.v" . By the point 

(iii) of proposition 1, we know that 'iv'" G |h Ai], e G \A 2 h] {v'[v'" /x] \e) G 
|h] = so iv"' G |h Ai],e G IA 2 h] (v"[v'"/x]\e} G |h] = 

and we are done. 

2. x. Same as 1.x. by symmetry (where x ranges from 1 to 4). 

3. c G |h] : then c G and c ^ c' implies that c' G = |h]. 

Here are now some lemmas to “inductively build” the membership of a RS. 

Lemma 3. 

uG |hH], eG |Hh] ^ {v\e) G [h]. 

Proof To show that (v|e) G |h] is, by definition, to show that (v|e) G 
We take all possible pairs for v and e and we reason by induction on the strong 
normalisation of v and e (which we get by lemma 1) and on the length of v and 
e. We consider all the possible reductions of (v|e). If the reduction occurs in v 
or e, we conclude by induction hypothesis and lemma 2. Else, 

• if u = iJ,a.c, the reduction is (/ia.cje) — >■ c[e/a] and we conclude by definition 
of fj.a.c G |b H], 
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• if e = Jix.c, we conclude symmetrically to the last point, 

• if u = \x.v' and e = v" ■ e' (with A = Ai^ A2), the reduction is (Aa;.u|u" • 

e') — >■ {v"\]lx.{v'\e')). We consider the possible reductions of {v''\Jlx.{v'\e')). 
By reducibility of v and e, we have v" G and {v'[v" /x\\e') G 

Consequently, since the reductions cannot occur infinitely in those terms, we 
will get to reduce one of the following (where v" — >■* vi, {v'\e') — >■* (u2|e2)): 

— (ui|^x.(a;|e2)) — >■ (ui|e2) : by induction hypothesis, we have {v''\e') G 

and (ui|e2) is one of its reducts. 

~ {vi\]lx.{v2\e2)) — >■ {v2[vi/ x\\e2[vi/x\) : this term is also a reduct of 
{v'[v" /x\\e'[v" /x\) which is in by reducibility of v, due to the 

fact that since x is not free in e', hence in 62, e2[vi/x] = 62- 

— (/ia.ci|^a:.(v2|e2)) — >■ Ci[^x.(u2|e2)/a] with v\ = iia.ci. By reducibility 
of e and by the lemma 2 we have na.ci G |l- Ai], that gives us, by 
definition, that Ci[^a:.(u2|e2)/Q;] belongs to |l-] if ^x.(v2|e2) belongs to 
1^1 h]. And this last condition is satisfied, by definition, if and only if 
Vu3 G |l- Ai] we have {v2[vz/x\\e2[vz/x\) G |l-], which is a consequence 
of the reducibility of v (with 62(^3 /a;] = 62, by the same argument as 
above). 

• If e = a\.e' and v = e" ■ v' , we conclude symmetrically to the last point. 

• In all other cases, no reduction can occur. 



Lemma 4. If v[v' /x] G |l- BJ for all v' G |l- A] then Xx.v G |l- A — >• B]. If 
e[e'/a] G \B h] for all e! GG |A h] then a\.e G |l- A — B]. 

Proof. By symmetry, we need only to prove one of the implications, let us take 
the first one. To prove that Xx.v G |l- A — >• B], we need, by the point (iii) of 
proposition 1, to prove that for all v' G |l- A],e G {B h], {v[v' /x]\e) G |l-]. By 
hypothesis, we have v[v' /x] G |b B]. We conclude with the lemma 3. 

Here is the adequacy lemma. 

Lemma 5 (Adequacy). Let A he a type and t an object such that FV{t) C 
Xi U X2 (Xi C Var and X2 C Var-^-J and the variables Xi G X\ are of type Bi 
and the variables aj G X2 are of type Cj. For all set of objects Vi,ej such that 
Vi Vi G |l- Ai\ and Vj Cj G \Bj h] we have, accordingly to the shape of t, 

1. if Xi \ B\- V ■. A|A2 : C then v[vi/xi, ...,Vn/xn,ei/ai, ..., em/am] G |l- A] 

2 . if Xi : B\e: A h A2 : C then e[vi/xi, ...,Vn/xn,ei/ai, ...,em/ctm\ G |A h] 

3. ifc: {Xi : B\- X2 :C) then c[vi/xi, ..., Un/xn, ei/ai, ...,6^/0;™] G |l-] 

Remark 2 . We note Ai : B the enumeration {xi : Bi\i G [l,n]} (the same for 
A2 : C). 



Proof. We note [//] the substitution \v\jx\, ..., Vnjxn, e\ja\, ..., Cm/am]- We rea- 
son by induction on the structure of t 

— V = X : then, by hypothesis, 3z, A= Bi. So v[/ /] = Uj G |l- Bi\ = |l- A]. 
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— V = e ■ v' : hy induction hypothesis on e and v', and by the point (iii) of 
proposition 1, we conclude immediately. 

— V = \x.v' : we then have A = A ^ A" . Since we can rename bound variables, 
we can suppose that x ^ {xi, x„}, which gives us {\x.v')[/ /] = \x.{v'[/ /]). 
By induction hypothesis, for all v” G |l- A'] we have v'[v'' /x, / /] G |l- A''\ 
and by the lemma 4, we are done. 

— V = fia.c : since we can rename bound variables, we can suppose that 
a ^ {«!,.. .,am}- Now, by the point (iii) of proposition 1, to prove that 
{fxa.c)[/ /] = /ra.(c[/ /]) G |l- A] we need only to prove that, for all e G h], 
c[ela,ll] G |l-] which is done by induction hypothesis. 

— e : the cases for e are similar to those for v by symmetry. 

— c = (n|e). By induction hypothesis on v and e, and by the lemma 3, we 
conclude immediately. 

We can now establish the main theorem of this section. 

Theorem 1. Every typed Xp-p, object is strongly normalizing. 

Proof. Let t be an object of the Xpp-calcul typed by P and A, i.e. such that 
the conclusion of its typing judgement is either P h t : A\A, or P\t : A h A, 
or t : {r \- A). Suppose that its free variables are {oi, ..., a^i; •■•j a;„}, each 
one typed Xi : Ai and at : Bi. By the points (i) and (ii) of proposition 1, 
we get that for all i, Xi G |l- Ai\ and G \Bi h]. Then, by the lemma 5, 
t[xi/xi , ..., x„/x„, Qfi/ai, ..., oim/otm] = t is in a reducibility set. By the lemma 1, 
we get t G 

3 PSN of A/i/i-Calculus with Explicit Substitutions 

We first define the A^/i-calculus with explicit substitutions. Then we show some 
useful results on the substitution calculus. And finally, we establish the property 
of preservation of strong normalization. 



3.1 Definition 

To the three syntactic categories presented in the last section, we add a fourth, 
regarding explicit substitutions, noted r. In the sequel, * will stand for either a 
term or a context variable. The syntax of the A/r/xx-calculus is: 

c ::= {v\e) \ ct 

V ::= X I Xx.v | e • z; | pa.c \ vt 
e ::= a \ aX.e \ v ■ e \ px.c \ er 
r ::= [x ^ x] | [a -fr- e] 

The source Dom{T) of r is x if r = [x ^ x] and a if t = [a ^ e]. The body 
S{t) of t is X in the first case and e in the second. We will say that a substitution 
belongs to if its substituend itself belongs to 
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We extend the typing system by adding a new form of sequent (-T h Z\) ^ 
{r' h A'). Here are the typing rules for explicit substitutions: 

r^v:A\A r\e:A^A 

[x ^ v] : {r,x : Ah A) ^ {r h A) [a ^ e] : {r h A,a : A) ^ {r h A) 

r|e : H h Z\ T : (r h Z\) ^ (r' h Z\') r\-v: t : {F h A) ^ {F' \- A') 

F'\er -.Ah A F' h vt ■. H|Z\' 

c : (r h Z\) T-.{Fh A) ^{F'V- Ah) 

CT : {F' h Ah) 

The reduction rules are the following: 

(/?) {\x.v\v' ■ e) — >■ (u'|^a:.(w|e)) 

(/?) (e' • u|a;A.e) — >■ (/ra.(u|e)|e') 

{mu) {jjLa.c\e) c[a e] 

(rrm) {v\ilx.c) — >■ c[x -fr- ri] 



(su) 


/j,a.{v\a) — >■ V 


if a ^ FV{v) 


(se) 


]lx.{x\e) — >■ e 


if X ^ FV{e) 


(ct) 


(u|e)T — >■ (utIct) 




{xtI) 


XT — >■ S{t) 


if X G Dom{T) 


{xt2) 


XT ^ X 


if X ^ Dom{T) 


(otI) 


UT — >■ S{t) 


if a G Dom{T) 


(aT2) 


aT ^ a 


if a ^ Dom{T) 


I't) 


{v ■ c)t — >■ {vt) ■ (ct) 




(^r) 


(e • v)t — >■ (ct) • {vt) 




(At) 


{Xx.v)t — >■ Xx.{vt) 




(At) 


{aX.e)T — >■ aX.{eT) 




l^^T) 


{fj,a.c)T — >■ jjLa.{cT) 




( mt ) 


{]1x.c)t — >■ J1x.{ct) 





We reason modulo a-conversion on the bound variable in the rules (/tr), (/tr), 
(Ar) and (Ar). 

3.2 Substitution Calculus 

We will note: 

• X the set of rules concerning the propagation of substitutions, namely cr, 

xtI, xt2, arl, ar2, At, At, /it and JIt, 

• -ix the set of rules not in x, namely those concerning reductions of the original 
calculus: P, P, mu, mu, sv and se. 

We present here some usual results on substitution calculi [5] . 




432 



E. Polonovski 



Lemma 6 (Strong normalization of x). x is strongly normalizing and its 
normal forms are pure objects (i.e. without substitutions). 

Proof. We define the following measure h: 



h{*) = 1 

h{v ■ e) = h{v) + h{e) + 1 

h{Xx.v) = h{v) + 1 

h{pLa.c) = h{c) + 1 

h{t[* ^ t']) = hft) * {hft') + 1) 



h{{v\e)) = h{v) + h{e) + 1 
h{e ■ v) = h{v) + h{e) + 1 
h{aX.e) = h{e) + 1 
hijlx.c) = h{c) + 1 



We easily check that each x-reduction strictly decreases h. We prove by contra- 
diction that the normal forms are pure objects: if there is a substitution, we look 
to the object to which it is applied and we find a reduction to perform. 

We will note x(t) the x-normal form of an object t. 



Lemma 7 (Confluence of x). x is confluent. 

Proof. All critical pairs have disjoint redexes, which gives us local confluence. 
By Newman lemma and lemma 6 we get confluence. 



Lemma 8 (Substitution). x(t[* ^ t']) = x(t){* ^ x(f')}. 

Proof. We prove, by induction on the height of t and of the ti, that 
x(t[*i ^ ti]...[*n ^ tn]) = x(t){*i ^ x(ti)}...{*„ ^ x(t„)}. 



Lemma 9 (Simulation of the A/i/i-calculus). For all t and u pure objects, 
ift u then t — _ u. 

Proof. By induction on the structure of t. The only interesting cases are those 
in which the reduction occurs at the root. 

— (/ra.cje) — c{* ^ e}: we have 

{ixa.c\e) -^rnu c[* ^ e] -:>x x(c[* ^ e]) ^ x(c){* ^ x(e)}. 

Since {p,a.c\e) is a pure object, x(c) = c, x(e) = e and we are done. 

— (v\]lx.c) — c{* ^ v}: this case is similar to the previous by symmetry. 

— The other rules are simulated in one step by their homonymes in A/i(tx. 

We say that a reduction is void if it occurs in the body of a substitution 
t[* ^ t'] such that * ^ x(t). We note it A. 

Lemma 10 (Projection). 

u then x{t) x{u). 

2. Ift — ix u is not a void reduction, then x(t) . x(u). 

Proof. We consider three cases: 

— the reduction is t — >-x u. Then x(t) = x{u). 

— the reduction is t — >--ix u. Then x(f) = x(u). 

— the reduction is t —>-,x u and is not void. The redex appears in x(t) and we 
can reduce it, then obtain x(u). 
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3.3 Around Perpetuality 

We use the perpetuality technique, formalised by Bonelli [5]. In fact, we use 
only the first part of the technique, which is enough to prove preservation of 
strong normalisation. We give some lemmas to extract a void substitution with 
an infinite derivation inside, and to trace this substitution backwards. 

Lemma 11. Let to — t\ — ^2 ■■■ infinite reduction. If 

x(to) G then there exists an integer k such that for all i > k, we have 

, V , 

ti b+1- 

Proof. Since x is strongly normalizing, the reduction must be to t\ — ix 
t 2 — >-x ^3 — >—'X t 4 --- By lemma 10, we have x(to) ~ ^(^i) - ^(^ 2 ) — ~ 

xlfo) — x(t 4 )... Furthermore, for all even i, if ti+i — >--ix ti +2 is not a void 
reduction, then x{ti) ^{ti+ 2 )- From x(to) G we deduce that there 

exists k such that for all even i greater than k we have A-ix ti+ 2 - We must 
now prove that from a certain point, both -ix and x reductions are void. For 
that, we define the following measure: 



H*) 

h{fj,a.c) 
h{t[* t']) 



= 1 

= h{c) + 1 
^(h{t)*{h{t') 
\ h{t) * 2 



h{{v\e)) = h{v) + h{e) + 1 
h(jj,x.c) = h{c) + 1 
1) if * G FV(x{f)) 
else 



The last clause guarantees that a void reduction leaves the measure unchanged. 
We easily satisfies that all other reductions strictly decraese this measure, and 
we conclude. 



The next notion is useful to isolate a void substitution. 

Definition 1 (Skeleton). The skeleton of an object, noted SK{t), is induc- 
tively defined as follows: 

SK{*) = * SK{{v\e)) = {SK{v)\SK{e)) 

SK{fj,a.c) = g,a.SK{c) SK^jlx.c) = ]lx.SK{c) 

SK{t[* ^ m]) = SK(t)[* ^ •] 

We remark that ift^u, then SK{t) = SK{u). 

The following lemma says that if there is an infinite derivation, then there 
exists a substitution in which there is an infinite derivation. 

Lemma 12. Let an infinite derivation he to ~^A/x/ix ti “^A/x/ix ^2 ~^A/x/xx V 
x(to) G then there exists an integer k, an object t, a variable *, a context 

C and an object sequence Ui such that 

^AmAx ^ Uk+i]] 

~^A/xAx ^ '“fe+2]] • • • 

with Uk "“fc+l ~^A/xAx “^=+2 “^A^tAx ^fe+3--- 
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Proof. By lemma 11 , there exists k such that for all i> k,U — ^*+i- Then, 
we have SK{tk) = SK{ti) for all i > k. The derivation tree of tk being infinite, 
by the pigeon hole principle, an infinite derivation must take place in the same 
substitution of SKftk), and we are done. 

Lemma 13 (Substitution tracing — 1 step). Let t and u be two objects such 
that t — ^ “ C[ui[* -fr- M2]]. Then 

1. either t = C"[m([* M2]], 

2. or t = C'[u'i[* ^ M2]] with M2 — >■ u'2, 

3. or Ml is a command and 

if * = a then t = C'[(y^a.Mi]M2)] else t = C[{u2\]lx.ui)]. 

Proof. We reason by induction on t and we consider the following two cases: 

• The reduction takes place at the root. First note that if Mi[* ^ M2] appears 
in a sub-term of m, which is also a sub-term of t, then for a context C and 
m'i = Ml the first item holds. This applies also when the rule used to reduce 
at the root is one of xt or ar. Else if the rule is mu or rrm, then the third 
item holds, else if it is another rule, then the first item holds, in both cases, 
we use the empty context. 

• The reduction is internal. 

— t = *. The result holds trivially. 

— t = {v\e) with either v — O'" ^ consider the first 

case, since the second one is similar. We have u = {v'\e) and: 

-k if the sub-term mi[* •«— M2] occurs in v' , then we use induction hy- 
pothesis. 

■k else the sub-term mi[* ^ M2] occurs in e ; then the first item holds. 

— t = v- e or t = e- v with either v — ® ^ conclude 

similarly to the previous point. 

— t = ^a.c or Jlx.c or Xx.v or aX.e. We use induction hypothesis. 

— t = ti[* ^ ^2]- There are two cases: 

* ti ^1 ^ ^2]- Then if mi[* ^ M2] occurs in t[ 

we use induction hypothesis. If it occurs in t2 the first item holds 
trivially. Finally, if m = mi [* •<— M2] then we take the empty context 
for C", u'l = ti and the first item holds. 

★ t2 — ^2 ^>2d M = ti[* ^2]- Then if mi[* ^ M2] occurs in ti the 
first item holds trivially. If it occurs in t'2 we use induction hypothesis. 
Finally, if m = mi [* •<— M2] then we take the empty context for C' , 
u'^ = ti and u'2 = t2 and the second item holds. 

This result is naturally extended to many-steps reductions. 

Lemma 14 (Substitution tracing). Let ti, be objects such that, for all 
i, U U+i and t„ = C[ui[* ^ M2]]. Then 

1. either * = a and there is i such that ti = C'[{iia.u'i\u'2)] with M2 'a'2> 

2 . or * = X and there is i such that ti = C'[{u'2\]jLx.u'i)] with U2 ~^y^^x ^2; 

3. or ti = C"[m([* ^ u'2]] with M2 ^2. 
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Proof. By induction on the number of reduction steps, using lemma 13. 

We formalise the notion of derivation ordering. 

Definition 2. Let <f> and ip be two infinite derivations starting form an object 
ti- Then (j) is called smaller than if they reduce the same redexes for the first 
n — 1 steps, and the nth redex reduced by is a strict subterm of the nth redex 
reduced by ip. 

Here is the main theorem of this section. 

Theorem 2 (PSN). t e ^ t £ 

Proof. By contradiction. Suppose that there exists a pure term t which can be 
infinitely reduced in the A/i/ix-calculus. We take a minimal derivation of this 
term. By lemma 12, at a certain point, we can exhibit a infinite derivation in 
a void substitution. By lemma 14, we can go backwards until we reach the 
reduction which creates this substitution while keeping the infinite reduction in 
it. This creation point (chosen by the minimal derivation) is a proper prefix of 
the reduction point of the infinite derivation inside the future body of the void 
substitution. This contradicts the minimality of the derivation. 

4 PSN Implies SN 

4.1 Proof Technique 

The technique we present here is very general and can be applied to many calculi 
with explicit substitutions. The idea of this technique is the following : let t be 
a typed term with explicit substitutions, with its typing judgement, we build a 
typed term t' of the pure calculus by expanding the substitutions of t in redexes. 
We call this expansion Ateb. We require the following two properties, which are 
enough to establish theorem 3. 

Property 1 (Preservation of typability) . If t is typable in the calculus with ex- 
plicit substitution, then Atebff) is typable in the pure calculus. 

Property 2 (Initialization) . Atebff) reduces to t in 0 or more steps in the calculus 
with explicit substitutions. 

We can now establish the theorem. 

Theorem 3. For all typing system such that all typable terms are strongly nor- 
malizing, if there exists a function Ateb from explicit substitution terms to pure 
terms satisfying properties 1 and 2 then PSN implies SN. 

Proof. For all typed term t of the calculus with explicit substitution, Atebpf) 
is a pure typed term (by property 1). By hypothesis of strong normalization of 
the pure typed calculus, we have Atebpf) £ SAf (in the present case 
By hypothesis of PSN we obtain that Ateb{t) is in SAf (in the present case 
SAfj^~fi). By property 2, we get Ateb{t) -£* t, which gives us directly t £ SAf 
(in the present case SAfj^~fi). 
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4.2 Application to Ap/i 

Here is the definition of Ateb. It is obvious that for all t, Ateb{t) contains no 
substitutions. We then check that this function satisfies the two properties we 
mention above. 



Definition 3. 



Ateb{x) 
Ateb{\x.v) 
Ateb{^a.c) 
Ateb{e ■ v) 
Ateb{{v\e)) 



= X 

= \x.Ateb{v) 

= iia.Ateb{c) 

= Ateb{e) ■ Ateb{v) 
= {Ateb{v)\Ateb\e)) 



Ateb{a) = a 
Ateb{aX.e) = aX.Ateb{e) 
Atebijlx.c) = 'jlx.Ateb{c) 
Ateb{v ■ e) = Ateb(v) ■ Ateb(e) 



Ateb{c[x ^ v]) = (Ateb{v)\'jlx.Ateb{c)) 
Ateb{c[a -h- e]) = {^a.Ateb{c)\Ateb{e)) 
Ateb{v[x ^ u']) = /j,a.(Xx.Ateb(v)\Ateb{v') ■ a) 
Ateb{v[a ^ e]) = nP.{fj,a.{Ateb{v)\f3)\Ateb{e)) 
Ateb{e[x •<— ?;]) = ]ly.{Ateb{v)\'jlx.{y\Ateb{e))) 
Ateb{e[a ^ e'j) = ]lx.{Ateb{e') ■ x\aX.Ateb{e)) 



With a fresh variable 
With /3 fresh variable 
With y fresh variable 
With X fresh variable 



Proof, (of property 1) Easy by induction on the proof of the typing judgement 
of t. 



Proof, (of property 2) We proceed by induction on t. Only the cases for substi- 
tutions are not easy. By the symmetry of the system, we consider only one half 
of it. 

— We have Ateb{c[x ^ w]) = {Ateb{v)\Jlx.Ateb{c)) and 

{Ateb{v)\]lx.Ateb{c)) — Ateb{c)[x ^ Ateb{v)]. 

— We have Ateb{v[x ^ u']) = fj,a.{Xx.Ateb{v)\Ateb{v') ■ a) and 

ya.{Xx.Ateb{v)\Ateb{v') ■ a) 

— y,a.{Ateb{v')\]lx.{Ateb{v)\a)) — jjLa.{{Ateb{v)\a)[x Ateb{v')]) 

— >-cT ya.{Ateb{v)[x Ateb{v')\\a[x ^ Ateb{v')\) 

-^oct 2 ya.{Ateb{v)[x ^ Ateb{v')]\a) -^sv Ateb{v)[x ^ Ateb{v')]. 

— We have Ateb{v[a ^ e]) = yP.{ya.{Ateb{v)\P)\Ateb{e)) and 

yf3.{lJ,a.{Ateb{v)\P)\Ateb{e)) fj,p.{{Ateb{v)\P)[a Ateb{e)]) 
-^cT y.13 .{Ateb{v)[a -fr- Ateb{e)]\l3[a -fr- Ateb{e)]) 

yP.{Ateb{v)[a ^ Ateb{e)]\(3) -^sv Ateb{v)[a ^ Ateb{e)]. 

In each case, we conclude by induction hypothesis. 



We can use Theorem 3. 
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4.3 Strong Normalization of A/x/ix-Calculus 

We collect together our results to prove the main theorem of this work. 

Theorem 4. The typed Xptflx-ealculus is strongly normalizing. 

Proof. By Theorem 1 (SN for pure calculus), Theorem 2 (PSN) and Theorem 3 
(PSN implies SN). 

5 Achievements and Perspectives 

Using various proof techniques, we have established that the A/x/ix-calculus is 
strongly normalizing. For that purpose, we have formalized a proof technique of 
SN via PSN. Let us mention that we have successfully applied this technique, 
with some adjustments, to prove SN of the Au-calculus (introduced in [3]) for 
the first time, as far as we know. We also used it to establish that PSN implies 
SN for the Aa-calculus [1], for which PSN is known to fail [10], showing that, for 
this calculus, the only problem of SN is in PSN. 

It remains an open problem to build a direct proof, by the reducibility tech- 
nique, of SN for a symmetric non-deterministic calculus with explicit substitu- 
tions. Another direction of work could be to replace substitutions “a la” Ax by 
substitutions “a la” A^,* [8], which yields, through the addition of explicit weak- 
enings, a more powerful substitution system. It may even help us to find a direct 
proof of SN. At last, we plan to work on a second order version of A/i/tx. 
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Abstract. Given a signature of basic operations for a computational 
effect such as side-effects, interactive input/output, or exceptions, we 
give a unihed construction that determines equations that should hold 
between derived operations of the same arity. We then show how to 
construct a canonical model for the signature, together with the first- 
order fragment of the computational A-calculus, subject to the equations, 
done at the level of generality of an arbitrary computational effect. We 
prove a universality theorem that characterises the canonical model, and 
we recall, from a previous paper, how to extend such models to the full 
computational A-calculus. Our leading example is that of side-effects, 
with occasional reference to interactive input/output, exceptions, and 
nondeterminism . 



1 Introduction 

Last year, at the Typed Lambda Calculus and Applications conference, I proved 
that every category theoretic model of what I defined to be the first-order frag- 
ment of Moggi’s computational A-calculus can be canonically embedded into a 
model of the whole calculus, the embedding satisfying an elegant and natural 
universal property [20]. After my talk, Carolyn Talcott asked what I regarded, 
and continue to regard, as an excellent question. As I understand her question, 
she had expected me to discuss computational effects, whereas, as I had pointed 
out in the talk, the computational A-calculus does not actually have computa- 
tional effects in it, but rather is a particularly well-designed calculus to which 
one can add computational effects. So her question was whether I could say 
something directly about computational effects in the context of the talk. This 
paper addresses that question. 

Over recent years, there has been a concerted attempt, led by Gordon 
Plotkin and myself, to develop a unified, elegant theory of computational ef- 
fects, with both operational and denotational semantics, a logic, and theorems 
relating them, designed to analyse and reason about call-by-value functional 
programming languages that extend the simply typed A-calculus, along the lines 
of ML [4,5,6,7,13,14,15,16,17]. Our starting point has typically been Eugenio 
Moggi’s computational A-calculus or Ac-calculus, which was introduced in [10, 
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11], with four distinct sound and complete classes of category theoretic models 
explained in [18], and with further abstract semantic development in [8,19,20, 
21]. The ideas surrounding the calculus have been applied extensively by the 
functional programming community, albeit typically using the computational 
metalanguage rather than the Ac-calculus: a recent overview appears as [1]. 

The heart of Plotkin and my theory of computational effects, and the sense in 
which it goes beyond the Ac-calculus, has been the study of operations that may 
be added as a signature to the Ac-calculus: for global state, one wants lookup 
and update; for interactive input/output, one wants read and write; for nonde- 
terminism, one wants binary V; etcetera [14,16]. We have studied signatures of 
such operations extensively (see [17] for a recent summary), but we have not yet 
given a unified, elegant account, supported by a body of mathematical theory 
and by natural computational examples, of what equations should be imposed 
on the operations, and how to derive canonical models for the Ac-calculus to- 
gether with the signature and equations determined by the effect at hand. Those 
issues lie at the heart of Carolyn Talcott’s question as I understand it, and this 
paper is designed to address them. 

Consider the example of global state. We have a signature given by ba- 
sic operations lookup and update. These basic operations have arities given by 
lookup : Val — > Loc and update : 1 — > Loc x Val, where Loc is a finite set 
of locations and Val is a, countable set of values. To decide what equations the 
operations derived from lookup and update should satisfy, one natural way to 
proceed is as follows. First define the set State of states to be the set V al^°‘^ 
of functions from locations to values. Now model the basic operation lookup by 
the function 

{State — >■ State)^°'^ — {State — >■ State)^°^ 

determined by composition with the function from Loc x State to Val x State 
that, given {loc, a), “looks up” loc in a : Loc — >■ Val to determine its value, 
and by the projection to State. And model the basic operation update by the 
function 

{State — >■ State) — {State — >■ 

determined by composition with the function from Loc x Val x State to State 
that, given {loc, v, a), “updates” cr : Loc Val hy replacing the value at loc by 
V. This modelling of lookup and update automatically generates a model of any 
operation derived from lookup and update. Now put two derived operations of 
the same arity equal if and only if they yield the same function on the appropriate 
power of State — >■ State. This construction yields exactly the equations that are 
commonly agreed by the programming community as natural for global state 
(see [14,15] for more analysis of such equations). For instance, one such equation 
is given by lookupioc{updateioc,v{x))v = x. 

This construction can be generalised: starting with any signature of basic 
operations and any choice of model of the basic operations, one can deduce 
equations between derived operations. And that construction duly yields the 
usual equations one expects in such cases as interactive input/output and ex- 
ceptions, as well as side-effects; nondeterminism involves the additional question 
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of partiality, as we discuss later. Section 3 of this paper is devoted to giving the 
generality of the construction and exhibiting more detail especially in the case 
of global state. In all of the examples we know of computational effects, there 
are computationally natural choices of such operations and of such models or 
sets of models. 

Now assume we are given a signature of basic operations together with equa- 
tions that they are to satisfy. We seek to construct canonical models of the 
Ac-calculus together with the signature, subject to the equations. Our use of 
the word “model” here is different to our use of it in the previous paragraph: 
here, we mean a model of the Ac-calculus together with operations and equations, 
whereas before, we meant a model of the operations but without modelling the 
calculus. 

The central point of the paper is that a canonical model for the Ac-calculus 
together with operations and equations falls out immediately from the mathe- 
matics we use to model the operations and equations alone: every signature of 
operations and equations we consider naturally forms a countable Lawvere the- 
ory L: this is a category with countable products together with structure that 
forces it to be generated, in a precise sense, by one object. We observe that the 
structure of L yields the structure of a Freyd-category on L°p, and, as we recall 
in Section 4, a Freyd-category is exactly what one needs to model the first-order 
fragment of the Ac-calculus. So L°p gives us a model of the first-order fragment 
of the Ac-calculus, and it inherently yields a model of the signature subject to 
its equations. In fact, does a little more than that: it also canonically models 
the obvious extension of the first-order fragment of the Ac-calculus to include 
sum types and a type of natural numbers; and it is the free model generated by 
the operations and equations subject to a condition asserting the existence of 
countable sums. Section 5 is devoted to the details. 

Finally, combining Sections 3 with 5, we can now say exactly how the various 
results relate to last year’s paper [20]. In studying computational effects, one 
invariably has a signature of operations one wishes to model. One also invariably 
has a natural computational model of the signature. That determines natural 
equations to place on the derived operations as in Section 3. The operations and 
equations form a countable Lawvere theory L, and L°^ is a canonical model of the 
first-order fragment of the Ac-calculus together with the signature of operations 
and its equations (and sum types and a type of natural numbers). That model 
satisfies a natural universal property detailed in Section 5. The main result of [20] 
shows how to extend that model to a model of the whole Ac-calculus (and it can 
be adapted to preserve the semantics of the sum types and the type of natural 
numbers), giving a universal property that exhibits its definitiveness. A mild 
systematic variant of the construction of [20] allows one to recover the standard 
models on Set listed by Moggi [10,11]. 

There is one very substantial omission from the above analysis, and that 
is recursion. The Ac-calculus does not contain recursion, and nothing we have 
written here contains it either. One needs to extend both the calculus and the 
models in order to incorporate it. One way to do that involves replacing the = 
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predicate of the calculus (see Section 2) by <, upon which one must provide 
models (see Section 4) of <. That seems most elegantly done by use of enriched 
categories and enrichedLacwvere theories [5,6]. One must extend the analysis even 
just to model partiality, as we mentioned above in relation to nondeterminism. In 
fact, there are two distinct ways to extend our analysis, and they are related: one 
might be seen as equational while the other might be seen as operational; the 
relationship between them involves the notion of a discrete enriched Lawvere 
theory. We defer the details for later work, but mention that the work here 
extends elegantly. 

This paper is organised as follows. In Section 2, we describe one version of 
the Ac-calculus and give a definition of a signature for it. In Section 3, we de- 
scribe how, given a signature of basic operations, every model induces equations 
between derived operations. In Section 4, we recall the definition of a closed 
Freyd-c&iegovy, providing the sound and complete class of models of the Ac- 
calculus we need. And in Section 5, we show how every signature of operations 
and equations generates a canonical model for the first-order fragment of the 
Ac-calculus together with those operations and equations. 

2 The Computational A-Calculus and Signatures for It 

In this section, we give a succinct formulation of Moggi’s computational A- 
calculus, or Ac-calculus, followed by a definition of the notion of signature for 
the Ac-calculus: the latter is more subtle than one might at first imagine, as one 
must make a delicate distinction between constructs that are to be modelled by 
effect-free terms and constructs that may be modelled by arbitrary terms. The 
work of this section is largely adapted from that of [17], which lists natural ques- 
tions to be addressed regarding the Ac-calculus, including those of this paper. 
We need to include the section here as, in following sections, we study models for 
both the Ac-calculus together with a signature (in Section 5) and for signatures 
alone (in Section 3). 

The syntax for the Ac-calculus may be taken to be identical to that for the 
simply typed A-calculus [18]. So it has type constructors 

cr ::= 1 I CTi X (72 I cr — >■ r 



and term constructors 



e ::= * | (e, e') | 7Ti(e) | Xx.e | e'e | a; 

where x ranges over variables, * is of type 1, with tt* existing for f = 1 or 2, all 
subject to the evident typing. The Ac-calculus has two predicates: an equality 
predicate exactly as in the simply typed A-calculus and a unary predicate (— ) 
for “definedness” or “effect-freeness” . The rules for the latter say * j,, cc f, Xx.e i 
for all e, if e j, then 7Ti(e) j,, and similarly for (e, e'), and that definedness is closed 
under equality. There are two classes of rules for =. The first class say that = is 
a congruence. And the second class are rules for the basic constructions and for 
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unit, product and functional types. The rules are closed under substitution of 
effect-free terms for variables. It follows from the rules for both predicates that 
types together with equivalence classes of terms in context form a category, with 
a subcategory determined by effect-free terms. It is straightforward but lengthy, 
to adapt the formulation of the Ac-calculus in [12] to list the = rules. 

The only aspect of the Ac-calculus that goes beyond the standard simply 
typed A-calculus is the predicate (— ) I together with associated sophistication 
in the rules for =. The Ac-calculus has typically been treated either as an equa- 
tional logic or as an higher order intuitionistic logic, both of which were consid- 
ered in [10,11]. Here, we do the former. We shall later extend the calculus by 
adding sum types and a type of natural numbers. That is a mild extension, such 
types existing and being well understood in many call-by-value programming 
languages. In later work, we shall further extend the calculus by considering the 
predicate < in order to incorporate recursion: as is the case for simply typed 
A-calculus, the Ac-calculus does not contain a mechanism for studying recursion. 

We now recall the notion of a signature for the Ac-calculus [17]. The idea is 
that each computational effect is generated by a signature of basic operations, 
subject to equations. A full definition of signature necessarily includes further, 
less complex, data that we shall describe and for which we shall give an example. 

Definition 1. A signature for the Xc-calculus consists of (base) types, together 
with typed function symbols, predicate symbols for the programming language, 
and operation symbols. 

The constant, function, and predicate symbols are to be modelled using effect- 
free terms in context, while the operation symbols form arbitrary terms that 
will not in general be effect-free. In this paper, only the operations are of pri- 
mary concern, so we shall restrict our attention almost exclusively to them after 
describing our leading example in full. 

Example 1. Suppose one wishes to consider an idealised language for the com- 
bination of global state with nondeterminism. One might add to the Ac-calculus 
a type Nat for natural numbers, function symbols 0, succ, and pred, for natural 
numbers, and a predicate symbol = 0. Then one adds operation symbols for 
nondeterminism and global state such as operation symbols V for binary nonde- 
terminism and lookup and update for state. The equational axioms to be added 
to the Ac-calculus are those generated by the combination of nondeterminism 
and global state, as for instance in [14,16]. One can give a systematic account of 
the combination of nondeterminism and global state providing one already has a 
system of equations appropriate for each of nondeterminism and global state in- 
dividually [5,6]. So, in Section 3, we develop a theory for generating equations for 
individual computational effects, which may then be combined using the results 
of [5,6]. 

We mention in passing that we have semantic evidence that suggests how to 
extend the above-mentioned signature and equations from global state to local 
state by adding another operation block subject to natural axioms [14]: the most 
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elegant way to achieve that requires further investigation, so although consistent 
with the work in this paper, it does not seem to provide an example of the work 
we develop here. 

We have many examples of such signatures and associated equations in [5,6, 
13,14,15,16]. But we have not had a systematic way to generate the equations for 
each effect. In principle, we should be able to generate equations from a formal- 
isation of the notion of observation, then asserting that two derived operations 
should be put equal if they are observationally equivalent. 



3 Prom Operations and a Model to Eqnations 

It is generally clear, given a computational effect, how to choose suitable opera- 
tions that generate it. For instance, in modelling nondeterminism, one typically 
starts with binary V; for global state, one typically chooses lookup and update; 
and for interactive input/output, one considers read and write. It is often less 
clear what equations to impose as axioms. So we seek a mathematical framework 
to guide our choice of equations. The Ac-calculus is an equational theory rather 
than an inequational one, so we restrict our attention to equational issues here, 
deferring partiality and recursion for later work using an enriched version of this 
analysis. 

Observe that equations typically hold between derived operations rather than 
between primitive ones. For instance, to express associativity of V, one must be 
able to speak of {xV y) V z, which is given by a derived ternary operation. So, 
we seek a unified way in which to speak of the derived operations generated by 
a signature. There are several equivalent ways to do that, and we shall use the 
notion of countable Lawvere theory [5]. 

Let Hi denote a skeleton of the category of countable sets and all functions 
between them. So Hi has an object for each natural number n and an object 
for Hq. Up to equivalence. Hi is the free category with countable coproducts 
on 1. So, in referring to Hi, we implicitly make a choice of the structure of its 
countable coproducts. 

Definition 2. A countable Lawvere theory is a small category L with countable 
products and a strict countable-product preserving identity-on-objects functor I : 
H7 ^ L. 

Implicit in the definition is the statement that H°^ and L have the same set of 
objects. We typically write L for a countable Lawvere theory, with the data given 
by I : H]*^ — > L left implicit. Every signature of operations, with arities either 
natural numbers or Hg, freely generates a countable Lawvere theory, a trivial one 
in the sense that it satisfies no non-trivial equations. The arrows with domain n 
and codomain 1 in that countable Lawvere theory are exactly the derived n-ary 
operations generated by the signature; an arrow with domain n and codomain m 
consists exactly of m derived n-ary operations generated by the signature. And 
that generalises routinely to Hg. Composition of the countable Lawvere theory 
is a formulation of the notion of substitution. 
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Example 2. A signature for global state is given by lookup : V al — > Loc and 
update : 1 — > Loc x Val, where Loc is a finite set of locations and V al is a 
countable set of values [14,6]. These freely generate a countable Lawvere theory 
by identifying the finite set Loc with its cardinality n and by identifying Val 
with Ho, then freely allowing substitutions applied to instances of lookup and 
update. So an arrow in the countable Lawvere theory is a word of finite length 
but possibly infinite breadth (see Example 5 for more detail) of copies of lookup 
and update. We shall use this countable Lawvere theory, together with a model 
of it in Set, to induce natural equations between pairs of such words, yielding 
a countable Lawvere theory for side-effects: that will include the operations but 
identify any pairs of words that are equal in the canonical model. 



Example 3. A signature for interactive input /output is given by read : I — > 1 
and write : 1 — O, typically for countable sets / of O of outputs [14,6]. 
Again, identifying I and O with Hg, these operations freely generate a countable 
Lawvere theory. In this case, the canonical model does not induce any non- 
trivial equations between words. So the countable Lawvere theory for interactive 
input/output is precisely the free theory generated by read and write. 

Exceptions work much as interactive input/output: the countable Lawvere 
theory is freely generated by an operation raise : 0 — > E for a finite or countable 
set of exceptions E, and the canonical model does not subject it to any non- 
trivial equations [14,6]. Nondeterminism involves issues of partiality that we 
do not treat here, but the heart of it is given by the free countable Lawvere 
theory on a binary operation V, and the canonical model induces the equations 
of associativity, commutativity, and idempotence [6]. Of course, one can also 
consider combinations of such effects. 

As mentioned in the examples, the equations that are to hold between derived 
operations are typically generated by a canonical (observational) model of the 
signature. 

Example /. Continuing our investigation of global state from Example 2, let 
State be the set Val^°^. The standard semantics of a command is generally 
understood to be a state-changing function, i.e., a function of the form 

State — > State 

So the operations lookup and update should act on powers of this set. They 
are generally deemed to act as follows: the operation lookup is modelled by the 
function 

{State — >■ State)^°'^ — {State — >■ State)^°^ 

determined by composition with the function from Loc x State to Val x State 
that, given {loc, a), “looks up” loc in a : Loc Val to determine its value, and 
is given by the projection to State; and the operation update is modelled by the 
function 

{State — >■ State) — {State — >■ 
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determined by composition with the function from Loc x Val x State to State 
that, given (loc,v,a), “updates” a : Loc — >■ Val by replacing the value at loc 
by V. We wish to set a pair of operations generated by lookup and update equal 
precisely when they yield the same functions on powers of State — >■ State. 

Similar stories can be given for each of our leading examples. For instance, 
where we considered State — >■ State to study side-effects, one would usually 
consider the set pY.{0 x F-|- -I- 1) in order to study interactive input/output: 

this set is the free algebra on 1 generated by read and write. The freeness of the 
algebra determines canonical behaviour of read and write. It is routine to verify 
that such modelling yields no equations between derived operations. Similarly 
for exceptions. One does obtain non-trivial equations for nondeterminism, and 
they are the usual ones for idempotence, symmetry and transitivity of V. 

We can describe the constructions we have given for global state and outlined 
for other examples in a unified way in terms of countable Lawvere theories. The 
central fact is that one starts with a model of the signature of operations, and 
one imposes the equations that are equal in that model. We proceed as follows. 

Definition 3. A model of a countable Lawvere theory L is a countable-product 
preserving functor M : L — > Set. 

It is routine to verify that if L is freely generated by a signature, to give a model 
of L as we have defined it is equivalent to giving a set X, together with a function 

— > X for each operation of arity a in the signature. 

Given a model M : L — > Set, one can factor it uniquely up to isomorphism 
as an identity-on-objects full functor followed by a faithful functor, i.e., as 

m o 

L ► L]\/j ► oct 

where m : L — > Lm is an identity-on-objects functor that is surjective on arrows 
and m' : Lm — > Set is a faithful functor. 

Proposition 1. For any model M : L — > Set of a countable Lawvere theory 
L, the category Lm is a countable Lawvere theory, the functor m : L — > Lm 
is a map of countable Lawvere theories, and the functor m' : Lm — > Set is a 
model of Lm- 

Proof. One must check that Lm has countable products, that m strictly pre- 
serves countable products, and that m' preserves countable products. One can ei- 
ther check that by direct calculation or deduce it from the fact that the (bijective- 
on-objects,fully faithful) factorisation system on Cat lifts to the category of small 
categories with finite products. 

The countable Lawvere theory Lm is the construction we seek: if we start 
with a signature and a model of the signature, the arrows of Lm with codomain 1 
are exactly equivalence classes of derived operations generated by the signature, 
with the equivalence relation given by two derived operations being put equal if 
they are equal in the model. 
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This construction yields all of the equations generated observationally be- 
tween derived operations. For a logic, one would seek a finite presentation of the 
equations. Such a finite presentation cannot be generated by a notion of observa- 
tional equivalence alone. But the construction does allow us to check whether a 
given finite presentation yields all equations that naturally hold observationally. 
And that sometimes involves delicate logical notions such as that of Hilbert-Post 
completeness. 

Example 5. Continuing our investigation of global state from Examples 2 and 4, 
the data of Example 4 form the standard model for global state. And Proposi- 
tion 1 yields the countable Lawvere theory Ls for update and lookup generated 
by the standard model. But we have also described a countable Lawvere theory 
L'g for global state in terms of operations and equations in [14] (see also [5]) 
without reference to a model: the operations were lookup and update, subject to 
seven equation schema, which, with lookup corresponding to the logical symbol 
I and with update corresponding to u, can be expressed syntactically as 

1 - lloci'^loc,v{^))v ~ ^ 

2. llocillocidw'^ v) v' lloc(.l'Vv')v 
3 - Uloc,v{'^loC,v' 

4. Uloc,v{lloc{tv')v') — ‘^loc,v{tv) 

b. lloc{lloc'{tyv'^v'^v — lloc' {llocitvv'^v^v' whccC loc ^ loc 
6. uioc,v{uioc',v'{x)) = uioc',v'{uioc,v{x)) where locjt: loc' 

^ioc,v{lioc' {ty >^ — lioc ’ where loc ^ loc . 

These equations all hold of the standard model, so there is a canonical map 
of countable Lawvere theories from L'g to Ls- But Ls is non-trivial as not all 
parallel pairs of derived operations are equal on State — >■ State, and, as explained 
in [14], L'g is Hilbert-Post complete, i.e., to add any further non-trivial equations 
would force the models all to be trivial. So, as Lg must validate at least as many 
equations as L'g does but is non-trivial, L'g is isomorphic to L$. Thus L'g provides 
an equational characterisation of the countable Lawvere theory generated by 
lookup and update subject to the equivalence induced by the standard model in 
Example 4. 



4 Models for the Ac-Calculus 

In this section, we briefly recall the notions of Frey d-category and closed Freyd- 
category as used in [20] to model the first-order fragment of the Ac-calculus and 
the whole calculus respectively. The Ac-calculus is a fragment of a call-by-value 
programming language such as ML or the idealised language FPC (see for 
instance [3]). For category theoretic models, the key feature is that there are two 
entities, expressions and values. So the most direct sound and complete class of 
models involves a pair of categories Cq and Ci, together with an identity-on- 
objects inclusion functor J : Cq — >■ C\, leading to the notion of closed Freyd- 
category. The first sound and complete class of models was given by Moggi 
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in [11], in which he effectively gave a construction of closed Freyd-categories 
without defining the notion. 

In order to define the notions of Freyd-category and closed Frej/d-category, 
we must recall the definition of symmetric premonoidal category as introduced 
in [21] and further studied in [19]. A symmetric premonoidal category is a gen- 
eralisation of the concept of symmetric monoidal category: it is essentially a 
symmetric monoidal category except that the tensor need only be a functor of 
two variables and not necessarily be bifunctorial, i.e., given maps / : X — > Y 
and /' : X' — ^ Y' , the evident two maps from X ^ X' to Y ^Y' may differ. 

There is a general construction that yields symmetric premonoidal categories: 
given a strong monad T on a symmetric monoidal category C, the Kleisli cate- 
gory Kl(T) for T is always a symmetric premonoidal category, with the functor 
from C to Kl(T) preserving the symmetric premonoidal structure strictly: of 
course, a symmetric monoidal category such as C is trivially a symmetric pre- 
monoidal category. That construction is fundamental, albeit implicit, in Eugenio 
Moggi’s work on monads as notions of computation [12], as explained in [21]. 

One requires care in the definition of strict symmetric premonoidal functor, 
as it involves the notion of a central map, such being a map that, in a precise 
sense, is bifunctorial. But subject to that caveat, we can now define the notions 
of Fr ej/d-category and closed Freyd-category. 

Definition 4. A Freyd- category is a category Cq with finite products, a sym- 
metric premonoidal category C\, and an identity -on- objects strict symmetric pre- 
monoidal functor J : Cq — > Ci. 

Definition 5. A Freyd -category J : Cq — > C\ is closed if for every object X 
of Cq (equivalently ofC\), the functor 

J(- X A) : Co — >Ci 



has a right adjoint A — . 

The following result is proved but only stated implicitly in [21]; it is stated 
explicitly in [8,20]. 

Theorem 1. To give a category Cq with finite products and a strong monad on 
it, such that Kleisli exponentials exist, is equivalent to giving a closed Freyd- 
category J : Cq — > Ci. 

This all means that the class of closed Freyd-categories provides a sound a 
complete class of models for the computational A-calculus, and, as we shall recall 
later from [20], using a reasonable notion of its first order fragment (including let 
of course), the class of Freyd-categories is a sound and complete class of models 
for its first order fragment. 

It is evident how to model types and terms in context in a (faithful) closed 
Freyd-category: the type constructors and contexts are modelled directly by 
the Freyd-structure, an arbitrary term in context is modelled by an arrow in 
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Cl, the predicate (— ) I is modelled for a term in context by the assertion that 
the arrow lies in Cg, and = is modelled for two terms in context by the as- 
sertion that the two induced arrows are equal. The closed Creyd-categories of 
primary interest are faithful, equivalently the corresponding monad satisfies the 
“mono requirement”. When that is not the case, one needs a little more subtlety 
in understanding models: the assertion that an arrow of Ci lies in Cq involves 
extra structure, not just a property; such subtlety in modelling a predicate is 
a standard part of the tradition of categorical logic. If Cg is a topos, this in- 
terpretation canonically extends to intuitionistic predicate logic, cf Kripke-Joyal 
semantics [9]: see [16] for details. One can model classical logic either by restrict- 
ing Cg to be Set or by interpreting the predicates using a fibration: the former is 
given by extending the situation for intuitionistic logic by the observation that 
its modelling in Set is classical; the fibrational view is more complex. 



5 Canonical Models for the Ac-Calculns with 
Computational Effects 

Given any closed Freyd-category and any signature of operations for the Ac- 
calculus, together with equations between derived operations, one can interpret 
the operations in the Freyd-category, then check whether or not the equations 
are validated. But here we ask a different question: given operations and equa- 
tions, can we construct a canonical closed Freyd-category together with an in- 
terpretation of the operations that satisfies the equations? Ideally, such a con- 
struction should satisfy a natural universal property. 

In fact, if the arities of the operations are all countable (including the possi- 
bility of finiteness), as they are in all our leading examples, we can do that, and 
for what one might reasonably call the first-order fragment of the Ac-calculus, it 
is remarkably simple, subject to some thought into exactly what one means by 
an interpretation of the operations. 

Recall from Section 3 that the category Hi has countable coproducts. These 
are used in the definition of countable Lawvere theory, as the latter is defined 
to consist of a category L with countable products together with a countable- 
product preserving functor I : — > L. Trivially, to give the countable-product 

preserving functor / is equivalent to giving a countable-coproduct preserving 
functor J : Hi — ^ L°'p. The category Hi not only has countable coproducts but 
also has finite products: these are given by finite products of countable sets. The 
category L°p generally does not have finite products, and the finite products of 
Hi are generally not preserved by J. But one can routinely check the following 
result: 

Theorem 2. For any countable Lawvere theory L, the category L°p together 
with the functor I°p : Hi — > L°p canonically support the structure of a Freyd- 
category. 

Proof. Given a countable (possibly finite) set a and given a map in F, say 
/ : (3 — > 7 , we must define a map a G / in F from a x /3 to a x 7 . The set 
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a X P is the sum of a-many copies of /?, and similarly for 0 x 7 . The category 
L°P has countable sums, and countable sums are preserved by I°p. So we define 
a® f : a X P — a x 7 to be the sum in L°p of a copies of /: the domain and 
codomain of this sum are as desired because 1°^ preserves countable sums. This 
determines the rest of the data for a freyd-structure, and it is routine to verify 
that the Freyd-category axioms all hold. 

This result suggests a definition of the first-order fragment of the Ac-calculus, 
yielding a canonical model of the first-order fragment together with operations 
subject to equational axioms. 

By the first-order fragment of the Ac-calculus, we mean type constructors 

a ::= 1 | cti x (T 2 

and term constructors 

e ::= * | (e, e') \ npe) \ let x = e in e' \ x 

where x ranges over variables, * is of type 1 , with existing for f = 1 or 2 , 
all subject to the evident typing. We still have the two predicates: = and (— ) f 
for effect-freeness. The rules for the latter say * j,, a; j,, if e j, then npe) j,, and 
similarly for (e, e'), and that definedness is closed under equality. The rules for = 
say that = is a congruence, together with rules for the basic constructions and 
for unit and product types. The rules are closed under substitution of effect- 
free terms for variables. It follows from the rules for both predicates that types 
together with equivalence classes of terms in context form a category, with a 
subcategory determined by effect-free terms. 

The let constructor is derivable in the full Ac-calculus as {Xx.e')e. The class 
of Freyd-categories provides a sound and complete class of models for the first- 
order fragment of the Ac-calculus just as that of closed Fr eyd-categories provides 
a sound and complete class of models for the full calculus. We can thus deduce 
the following from Proposition 2: 

Corollary 1. For any countable Lawvere theory L, the category L°p together 
with I°P : Hi — > L°P is a model of the first-order fragment of the Xc-calculus. 

We shall call the countable Lawvere theory of the corollary the canonical 
model determined by the computational effect associated with F: we shall next 
show that the operations can be interpreted canonically in it, and that that 
interpretation respects the equations. We shall further give a universal property 
of the construction. 

Consider exactly what one might mean by an interpretation of the operations 
of a signature. In previous work, we have investigated three main ways to inter- 
pret operations [15]. When considered in the context of a closed Fr ej/d-category, 
all three are equivalent; in the absence of closedness, we can define two of those 
notions of interpretation, and they are still equivalent to each other. The dif- 
ficulty for the third notion arises because when S is countable, S — >■ {X x S) 
is uncountable even when X = 1 [15]. Here, we focus on the notion that most 
directly yields our canonicity result. It uses the idea of a generic effect. 
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Definition 6. Given a signature of typed basic operations and given a semantics 
for each type, an interpretation of an operation of type a ^ t in a Freyd- 
category J : Cq — > C\ is a map M{t) — > M{a) in Ci, where M{u) and M{t) 
are the interpretations of the types a and t. 

Example 6. Consider the usual interpretation of side-effects in the Kleisli cate- 
gory Kl{S — >• (— X S)) for the monad S' — >■ (— x S') on Set, where S = Val^°^. 
The operation lookup : Val — > Loc is interpreted by the function 

Loc — > (S {V al X S)) 

taking (loc, a) to {v, a), where v is given by looking up loc in cr. To give a function 
from Loc to (S — >■ {Val x S)) is to give a map in Kl{S — >• (— x S)) from Loc to 
Val. The operation update : 1 — > Loc x Val is interpreted by the function 

Loc X Val — > (S — >■ S) 

sending {loc, v, a) to the state that updates a by replacing the value at loc by 
V, and that is a map in Kl{S — >■ (— x S)) from Loc x Val to 1. This way of 
modelling operations as generic effects has proved particularly useful [15,5,6] 
and is consistent with Example 4 here. If we restrict from the Ac-calculus to its 
first-order fragment, we can restrict the interpretation to land in the full sub- 
Freyd-category of Kl{S — >• (— x S)) determined by (a skeleton of) countable sets. 
This latter Freyd-category is exactly the canonical Freyd-category for global 
state determined by Corollary 1. 

One can similarly use the notion of interpretation as we have defined it here 
to give canonical interpretations of V for nondeterminism, read and write for 
interactive input/output, raise for exceptions, etcetera [15], all respecting the 
appropriate equations. One has the following trivial abstract proposition: 

Proposition 2. Every signature of operations of countable (possibly finite) ar- 
ity has a canonical sound interpretation in the canonical model: an arity a is 
modelled by the object a, and a basic operation op : a — > (3 is modelled by the 
corresponding map from (3 to a in L°p . 

Moreover, as the category Hi includes the object Hq as a coproduct of count- 
ably many copies of 1, we can model all the types, function symbols, and constant 
symbols in the signature of Example 1 in the canonical model. In particular, the 
natural numbers Nat is canonically modelled in the canonical model. 

The canonical model also suggests a natural definition of what it means for 
an arbitrary Freyd-category to have finite coproducts. 

Definition 7. A Freyd-category J : Co — Ci has finite coproducts if Cq has 
and J preserves finite coproducts. 

Proposition 3. For any closed Freyd-category J : Cq — > C\, if Co has finite 
coproducts, so does J. 
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This in turn suggests an extension of the first-order fragment of the Xc~ 
calculus to include sum types: by the first-order fragment of the Ac-calculus 
with sum types, we mean type constructors 

CT ::= 1 I CTi X CT2 I 0 I (7i -I- (72 



and term constructors 

e ::= * | (e, e') \ 7Ti(e) \ let x = e in e' \ 0 \ inl{e) \ inr{e) \ cases{ei, 62 ) | x 

subject to evident typing rules and an extension of the rules for the predicates 
= and (— ) I to make the class of Freyd-categories J : Co — >■ Ci with finite 
coproducts a sound and complete class of models. 

There is more flexibility here than might first appear. If a cartesian closed 
category C has finite coproducts, it follows that, for every object X of C, the 
functor — X X : C — C preserves them, i.e., product distributes over sum. But 
if C only has finite products without being closed, — x X might not preserve 
finite coproducts. But there is a strong argument that one should insist upon such 
preservation, yielding the notion of a distributive category (see, for instance, [ 2 ]). 
The same issue arises for Frej/d-categories: it is possible we should ultimately 
emphasise the (obvious) notion of distributive Freyd-category, which in turn 
would imply further axioms on an extension of the Ac-calculus to include sum 
types. Here, we need to define a notion of countable distributivity anyway. 

Definition 8 . A Freyd- category J : Co — C\ is countably distributive if Co 
has and J strictly preserves countable coproducts, and finite products distribute 
over countable coproducts in Cq. 

It follows immediately from the definition of countable Lawvere theory that if L 
is a countable Lawvere theory, the Frej/d-category 1°^ : Hi — >■ L°p is countably 
distributive. This notion allows us to characterise the canonical model by a 
universal property. 

Theorem 3. The canonical model is the generic countably distributive Freyd- 
category, i.e., for any countably distributive Freyd -category J : Cq — > Ci and 
any sound interpretation of the signature in J that respects the coproduct struc- 
ture of the arities, there is, up to coherent isomorphism, a unique countable 
coproduct preserving Freyd-functor from I°p to J that respects the interpreta- 
tions. 

Theorem 3 can now be combined with the work of [20] , which shows how to 
generate a canonical model of the whole Ac-calculus from a model of its first- 
order fragment. A variant of the latter construction, involving preservation of 
countable coproducts, is needed to give a smooth extension of the operations: 
that must, for space reasons, be deferred, but we mention in passing that it also 
allows one to recover Moggi’s models of all the examples we have investigated 
here. 
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Abstract. People often need to reason about policy changes before they are 
adopted. For example, suppose a website manager knows that users want to enter 
her site without going through the welcome page. To decide whether or not to 
permit this, the wise manager will consider the consequences of modifying the 
policies (e.g., would this allow users to bypass advertisements and legal notices?). 
Similiarly, people often need to compare policy sets. For example, consider a per- 
son who wants to buy health insurance. Before choosing a provider, the customer 
will want to compare the different policies. In other words, the customer wants to 
reason about the effect of choosing one policy set over another. We introduce a 
logic, based on propositional dynamic logic, in which these tasks can be done. We 
give a sound and complete axiomatization for our logic, and also show that it is de- 
cidable. More precisely, the satisfiability problem is decidable in nondeterministic 
exponential time. 



1 Introduction 

Many applications include a set of statements, called policies, that say what is and what 
is not permitted. Policies arise in many different settings. They can be access control 
policies, describing which agents are permitted to access resources. They can be legal 
policies, describing what actions are legally permitted, in a normative sense. An important 
observation is that an application’s set of policies might not be static. They often change 
over time, particularly in response to a user’s request. A user not only asks for policy 
changes, she usually compares the policies of different applications and chooses the 
one that’s best for her. Even before a policy set can be changed or rejected outright, a 
system designer needs to create the original set. This might involve comparing different 
options with respect to what they allow, as well as how difficult they are to implement. 
Choosing whether or not to modify a policy set, deciding to accept or reject one, and 
creating policies are nontrivial tasks. To get a sense of what needs to be done in practice, 
consider the following examples. 

Example 1.1. Suppose Alice has a junior library card that lets her into the junior section 
of the library and nowhere else. Alice asks her librarian Libby for an adult card, because 
she wants to read the books on Classical Philosophy that are kept in the library’s adult 
nonfiction section. Should Libby change the library’s policies so that Alice may act as an 
adult patron? To answer this question wisely, Libby needs to determine the consequences 
of her change. If the only consequence is that Alice may access the adult fiction and adult 
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nonfiction collections, then it seems reasonable for Libby to grant the request. On the 
other hand, if the adult card would allow Alice to enter the library’s section on erotic 
literature, then Libby might look for another solution. 

Example 1.2. A company wants to offer its employees health insurance. The providers 
under consideration are Aetna and Blue Cross Blue Shield. To make uninformed decision, 
the company needs to determine which actions are permitted under Aetna’s policies that 
are not allowed under Blue Cross Blue Shield’s and vice-versa. 

Example 1.3. A software company is building a new application. The policies that govern 
the application need to enforce the principle of least privilege [24, p.242], which says 
that each agent has only those permissions that are necessary to do her job. Alice is told 
to create the policies. To do this, she needs to build a policy set and then check that it 
meets the principle of least privilege. Once she has found an appropriate set, she gives it 
to Bob, whose job is to implement the policies correctly. Bob creates a new policy set that 
is relatively easy to implement and seems equivalent to the one Alice gave him. Before 
implementing the new set, however. Bob needs to verify that his set allows exactly the 
same actions as Alice’s. 

These examples demonstrate a need for a language in which people can compare 
policies and reason about suggested changes. There are many languages for articulating 
and reasoning about policies. A survey by Wieringa and Meyer [29] provides some 
examples. Others may be found in a variety of Computer Science communities, including 
computer systems security [7,13,8], automated legal reasoning [19], database integrity 
[23], and digital rights management [27,17,2,11]. All of these languages were created 
to determine which permissions follow from a single, fixed set of policies. They simply 
were not designed to address the issues highlighted by our examples. In particular, they 
cannot express that one policy set is equivalent to another, or that one is strictly more 
permissive. 

In this paper, we introduce a logic in which we can reason about non-static (i.e., 
dynamic) policies. The logic is based on Dynamic Logic of Permission (DLP) defined 
by van der Meyden [21], which is itself based on Propositional Dynamic Logic (PDL) 
[9]. DLP is used to reason about a fixed policy set that governs an application whose 
behavior is modeled by a transition system. For example, in DLP, we can formulate the 
query ‘Is Alice permitted to enter the adult fiction section’; then, we can answer the 
query based on the particular application and policy set. DLP is a very expressive logic. 
It was developed to support the kind of reasoning found in intelligent legal information 
systems. To do so, it considers permissions to be associated with transitions (any given 
state transition is either permitted or forbidden), and provides two different operators 
to query whether actions are permitted; an action is permitted if there is a possible 
execution of the action using only permitted transitions, and it is freely permitted if all 
possible executions of the action use only permitted transitions. For many computer 
applications, this distinction is not necessary. (Indeed, the examples we use in this paper 
do not use free permissions.) However, by extending DLP, our logic remains appropriate 
for reasoning about policies in legal information systems. We extend DLP by adding the 
ability to mention and to modify the policies of the application in the formulas. This lets 
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us write queries such as ‘Assuming we change the policy so that Alice is treated as an 
adult, may she enter the adult fiction section’. Moreover, we can determine the truth of 
such conditional queries with respect to the particular application and the original policy 
set. 

The uses for our logic go well beyond reasoning about basic conditionals. In our 
logic, we can update a policy set (i.e., add or remove policies) within a query at arbitrary 
points. This allows us to reason about the execution of a scenario which begins under one 
policy set and completes under a modified version. For example, suppose a university has 
a policy p that says no one can pass her thesis defense, unless she has fulfilled her minor 
requirements. After witnessing several students with finished theses, scrambling to meet 
minor requirements, the university decides that the policy should be changed. The new 
policy says that minor requirements must be met for a student to pass her preliminary 
exam; since passing the preliminary exam is already a requirement for passing the 
defense, the univerisity removes p from its policy set. Now, under either policy set, 
a student cannot pass her defense unless she has completed her minor requirements. 
However, a student with fortunate timing can avoid the requirement (she passes the 
preliminary exam under the old policy and defends under the new). We can use our 
framework to detect this type of consequence. 

The rest of the paper is organized as follows. In the next section we review transition 
systems. Then, we present both the syntax and the semantics of our logic. We finish 
the section by applying our logic to the situations in Examples 1.1, 1.2, and 1.3. In 
Section 3 we give a sound and complete axiomatization for our logic. The satisfiability 
problem is considered in Section 4, where we show that our logic is decidable. In fact, 
the satisfiability problem is decidable in nondeterministic exponential time. (We suspect 
that the problem is decidable in deterministic exponential time, which is the complexity 
of the satisfiability problem for PDL.) Related work is discussed in Section 5 and we 
conclude in Section 6. For reasons of space, the proofs are left to the full paper. 



2 A Logic for Reasoning about Dynamic Policies 

Application Model. We assume the application is modeled by a set of states, a set of 
labelled transitions, and a set of policies. A state is a snapshot of the application in time. A 
state can, for instance, record the value of all the variables in the application. Transitions 
between the states represent progress of the application. Each transition is labelled by an 
action; intuitively, a transition between states s and s' labelled with an action a means 
that by performing a in s, the application might progress to s'. Note that actions can be 
nondeterministic, in the sense that more than one transition from the same state can be 
labelled with the same action. The set of policies tells us which transitions are permitted. 

As an example of these concepts, suppose Alice wants a file and can obtain it either 
by downloading it from the network or copying it from a disk. We can capture this 
scenario in a model that has three states, Si, S2> and S3, where Alice wants the file in si 
and has the network version of the file in S2 and the disk version of the file in S3. The 
model has two transitions, t and t', where t goes from si to S2 and is labeled ‘download 
from network’, while t' goes from si to S3 and is labeled ‘download from disk’. Now 
suppose t' is permitted and t is not, according to the application’s policies. (Eor instance, 
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the policy may want to restrict access to the network.) Then if Alice wants the file, she is 
permitted to copy it from the disk, but is not permitted to download it from the network. 

Syntax. We now introduce the syntax of DLPdyn, which is our logic for reasoning about 
dynamic policies. (We assume the policies are part of an application whose behavior 
is modeled by a transition system.) DLPdyn is an extension of DLP, which is itself an 
extension of PDL. As in PDL, we assume a set of primitive actions, AcIq, and then 
provide combinators for building more complex actions from the primitive ones. 



Syntax for Actions: 



1 

a € Actf) 


1 

primitive action 


a, (3 ::= 


action 


a 


primitive action 


a; (3 


sequential 


aV3 (3 


alternative 


a* 

1 


repetition 

1 


The action a; /? represents the sequential composition of a and (3\ it means ‘first execute 


a, then execute /?’. The action a 


U f3 represents the nondeterministic choice of a or /?; 


it means ‘either execute a or execute fP . Finally, the action a* represents the repeated 
execution of action a, some nondeterministically chosen number of times (possibly 


zero). 




As with actions, the formulas of our logic are written by combining primitives. In 


this case, however, the primitives 


are propositions from a set . 


Syntax for Formulas: 




pepQ 


1 

primitive proposition 




formula 


P 


primitive proposition 


-.p 


negation 


p Af 


conjunction 


(a)p 


effect of action a 


Perm{a)p 


permission 


FreePerm(a)<p 


free-choice permission 


Grant(pi,p2)(p 


granting permissions 


Revoke(pi, P 2 )<F 

1 


revoking permissions 

1 



The negation (-■) and conjunction (A) operators are the standard ones from propositional 
logic. We abbreviate A as ip\/ tp and abbreviate -•(f \/ p; as ip ^ p;. Also, 

we define true to be the formula p V ~<p, where p is a fixed primitive proposition in <Pq. 
false is -^true. We define the sublanguage <Pp of propositional formulas of our logic; it 
is the set of primitive propositions in tPg closed under negation and conjunction. We let 
p range over propositional formulas in (pp. 

The PDL operator {a)p says by doing a, the application can progress to a state 
satisfying p. We abbreviate ^{a)^ip as \a](p. Observe that the formula [a]p means after 
any execution of a, the formula p is true. 
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The DLP operators, which we write as Pem{a)(f and FreePerm(a)(/?, capture two 
different types of permissions. The formula Perm(a)(p means there is at least one ex- 
ecution of a that is both permitted and leads to a state where Lp is true. For example, 
consider the formula Perm (download U copy)haveFile. It says that there is a way to 
get the file legitimately either by downloading it from the network or copying it from 
the disk, however, it does not say which of the two actions is permitted. The formula 
FreePerm(a)(/? means all executions of a that lead to a state satisfying ip are permitted. 
For example, consider the formula Free Perm (download U copy)haveFile. It says that 
every way of obtaining the file by downloading it from the network or copying it from 
the disk is legitimate. 

Finally, we introduce the operators Grant(pi, p2)<P and Revoke(pi, p2)‘F- The for- 
mula Grant(pi , p2)‘pvae,&m holds, if we assume every transition from a state satisfying 
Pi to a state satifying pi is permitted. Conversely, the formula Revoke(pi, p2)p means 
tp holds, if we assume that every transition from a state satisfying pi to a state satifying 
P2 is not permitted. The only restriction on these operators is that pi and pi must be 
propositional formulas. Roughly speaking, this limitation means that we cannot easily 
reason about permissions that are defined in terms of other permissions. For example, 
we cannot say ‘p holds if whenever someone is permitted to download a file from the 
network, she is permitted to copy it from the disk’ . (We believe that none of our results 
fundamentally depend on this restriction.) 

Semantics. The semantics of our logic is based on Kripke structures, which are the 
formal models of the applications. Intuitively, a Kripke structure encodes a transition 
system, along with the characteristics of each state (i.e., which primitive propositions are 
true in each state). A Kripke structure M = (S', tt, r) is a set of states S, an interpretation 
7 T used to interpret the primitive propositions, and an interpretation r used to interpret 
the primitive actions. More specifically, for a primitive proposition p, is the set of 
states where p holds, and for a primitive action a, r(a) is the set of transitions S1S2 that 
could occur by doing a. 

We associate every (not necessarily primitive) action a with a set of finite traces, 
where a trace is a sequence of states. Roughly speaking, a trace is in the set if there is an 
execution of the action that travels through each of the states in the trace, in turn. The 
set of traces Ts(a) includes every trace that could be encountered during an execution 
of a from state s. The following table defines this notion formally 

Sequences of States Associated with Actions: Ts(a) 

I 1 

Ts(a) = {siS2 G r(a) | si = s} 

Ts{a-,I3) = {(Tas'ap I CTas' G Ts{o),s'ap G Ts’{(i) 

Ts{a U /?) = Ts(q;) U Ts{(}) 

Ts(q;*) = {ss} U Ts(q;) U Ts{a] a) U Ts(q;; a; a) U . . . 

I I 

This definition of essentially yields the trace semantics of PDL [ 25 ]. 

To establish the truth of our formulas, we need to keep track of which transitions are 
assumed to be permitted. We store this information in a policy set P, which is simply a 
set of transitions. A transition is assumed to be permitted, according to P, if and only if it 
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is in P. If a transition is in P, then we say it is P-green. Otherwise, we say the transition 
is P-red. More generally, a sequence of transitions is P-green, if every transition in 
the sequence is P-green. Otherwise, the sequence is P-red. Notice that this dehnition 
suggests that an action sequence is illegal if any action in the sequence is illegal. 

A formula Lp is true (or satished) in a state s of a model M given a policy set P, 
written (M,s,P) ^ (p, if it is true according to the following definition, where af 
denotes the final element of a for any nonempty hnite sequence cr. 



Satisfaction Relation: (M, s, P) \= ip 



(M, s,P)\=p 

{M, s, P) h 

{M, s,P) \= ip Alp 

{M,s,P) \= {a)ip 

(M,s,P) ^ Perm(a)(/? 

{M,s,P) \= FreePerm(of)v3 

(M,s,P) ^ Grant(pi,p 2 )‘P 
{M,s,P) [= Revoke(pi,p 2 )<P 



if s G 7 t(p) 
if(M,s,P) 

if (M, s,P) \= ip and (M, s, P) \= 
if for some a £ Ts(a), (M, <Jf,P) |= ip 
if for some P-green a G Te(a), (M, (Tf,P) \= ip 
if for all a £ Ts{a) such that (M, af, P) ^ ip, 
a is P-green 

if (M,s, PUP'’! 1= if 
if{M,s,P\PP^'P^) 1 = ip 



where P^i-p^ A {s;^s 2 | {M,si,P) |= pi, (M,S 2 ,P) h P 2 } 



1 



j 



A formula ip is true at a state s of a model M, written (M, s) ^ p, if for any policy 
set P, (M, s, P) \= p. We can easily check that a propositional formula does not 
require the set of policies to determine its truth value. Formally, if p is a propositional 
formula, then (M, s,P) \= p for some P if and only if (M, s) ^ p. It follows that 
ppi.P 2 is{(si,S 2 ) I (M,si) 1= px, {M,S 2 ) H P 2 }, because P i andp 2 are propositional 
formulas. If (M, s) |= p for all s £ S, then we say p is valid in M, and write M \= p. 
Finally, if M |= p for all Kripke structures M, we say p is valid, and write \= p. We 
now revisit the examples given in the introduction. 

Example 2.1. In Example 1.1, we present a scenario in which the librarian Libby needs 
to decide whether or not to give Alice an adult patron card. To make this example more 
concrete, suppose that having an adult card means Alice may do any primitive action in 
a set Act A- We now show that we can use our logic to help Libby make an informed 
decision. To do this, suppose 

- M is the model that represents the library system and P is the library’s current 
policy set. 

- A state in M satishes the primitive proposition ‘Alice acted as an adult’ if and only 
if every transition into the state is labeled with an action in AcIa- 

- Lor ease of exposition, we assume that either all transitions into a state are labeled 
with an action in Act a or none are. (Note that if this is not true, we could easily 
create a model, equivalent to M, that satisfies the condition.) 

An action a that Alice may not do according to P would be allowed according to the 
modified policy set, if for some state s in M 

(M, s, P) ^ -^Perm{a)true A Grant(pMe, ‘Alice acted as an adult’) Perm (a) trae. 
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By considering each action a of interest, we can determine the consequences of Libby 
granting Alice’s request. 



Example 2.2. Suppose the company in Example 1 .2 suspects that every permission they 
care about is either granted by the Blue Cross Blue Shield policies, or is not granted by 
either set of policies. To test this hypothesis: 

- Let Pa and Pb be the Aetna and Blue Cross Blue Shield policies, respectively. 

- Let M be a Kripke structure capturing the states of the application and the possible 
transitions. For example, a state could represent the flu season, and a transition from 
the state could represent Alice getting a free flu shot. We assume that every state can 
be uniquely described by a propositional formula; in other words, for every state s, 
there is a propositional formula pg which is true only at s. 

- Let Pol^(i^) be an abbreviation for Grant(psj,pg/^) . . . Grant(pg^,Pg/_)(/? where 
Pa = {siSi, • ■ • , SfcsJ.}. Let Po\b{p) be the corresponding abbreviation based 
on Pb- 

- Let V3deap be a formula that represents the desired permissions. As a simple example, 
t/^desp could be Perm(Alice gets free flu shot)trMe, which means there is a way for 
Alice to get a free flu shot. 

The company’s hypothesis is correct if 

M ^ (PolA(v3de=p)) ^ (Po1b(<P desP ) ) ■ 



Example 2.3. Consider Example 1.3. 

- Let P]^p be the set of policies that Alice created to enforce the principle of least 
privilege. 

- Let M be a Kripke structure capturing the states of the application and the possible 
transitions. As in the previous example, we assume that every state can be uniquely 
described by a propositional formula; in other words, for every state s, there is a 
propositional formula Ps which is true only at s. 

- Let Polp(<^) be an abbreviation for Grant(psj,pg/) . . . Grant(ps^, for any 

policy set P = . . . , SfcsJ.}. 

- Let tpjobp be a formula that represents the permissions required for users to do their 
job. As a simple example, v^jobp could be Perm (edit user’s own fllesjtrae, which 
means users have a way to edit their own files. 

We want to verify that Ppp satisfies the principle of least privilege. However, this is a 
bit tricky, because there are at least two interpretations of the principle. The first says 
that Ppp satisfies the principle of least privilege if we cannot remove any policy from 
Ppp and still allow the users to do their job. According to this definition, Ppp satisfies 
the principle of least privilege if and only if 

M 1= Poipj-p v^jobp A f\ Revoke(/9s,pp)-.(Pj„bP 

\ ss'^Plp 
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A second interpretation is the stronger statement that P^p satisfies the principle of least 
privilege if it lets the users do their job, and there is no smaller set of policies that does. 
Assuming that the Kripke structure M is finite, we can formalize this interpretation as 
follows. The policy set Ppp satisfies the principle of least privilege if and only if 

^ H P°^Pl,P (‘/^Jobp) ^ A p(-'<Ajobp), 

where Pm = {P | P is a policy set over M, |P| < \Plp\}, the set of all policy sets with 
fewer elements than Ppp- The key observation is not that there are many interpretations 
of the principle of least privilege, but that we can capture the different interpretations in 
our framework. 

Before leaving this section, we should emphasize that Grant(pi, p 2 )<A means ‘(p 
holds under the assumption that every single transition from a state satisfying pi to a state 
satisfying p 2 is permitted’ . This does not mean that we assume all sequences of transitions 
from states satisfying pi to states satisfying p 2 are permitted. This consequence of our 
logic seems particularly desirable. To see why consider the statement ‘any transition 
from a state in which Alice is in school to one in which she is home is permitted’. It 
might follow from the statement that Alice may bike home from school or even take a 
cab. However, we should not conclude from the statement that Alice is allowed to bike 
from school to the docks, convince some disreputable people to buy her beer, stagger 
home, and then beat-up her brother, despite the fact that the action sequence begins with 
Alice at school and ends with Alice at home. 



3 A Sound and Complete Axiomatization 

In this section we present a sound and complete axiomatization for our logic. Recall that 
a formula ip is provable if it can be proven using the axiom system’s axioms and rules of 
inferences. If every provable formula is valid, then the axiom system is sound. If every 
valid formula is provable, then the axiom system is complete. 

Our axiom system AX can be divided into six parts. The first set of axioms accounts 
for propositional reasoning. 

Axioms for Propositional Reasoning: 

I 1 

Taut. All instances of propositional tautologies 
MP. From p and p ^ ip infer ip 

I I 

As an example, an instance of Taut is V ^p, for any formula p. Axiom Taut can be 
replaced by a sound and complete axiomatization for propositional tautologies, such as 
the one given in Mendelson [20]. 

The second set of axioms accounts for the PDL modality ( ) . 

Axioms for ( ) : 

I 1 

Al. (a) false false 
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A2. {a-,(3)ip ^ {a){P)if 
A3, {a U f3)(fi {a)(p V {(3)(p 
A4. {a*)(f V? V (a; a*)(p 
AS. {a){(p V tp) V 

A6. ip A [(x*]{ip \a]ip) 

A7. From (/? infer [a] ip 

I I 

This is essentially the axiomatization for PDL due to Segerberg [28] . Axioms A1 through 
AS and axiom A7 are straightforward. Axiom A6 is an induction axiom that captures the 
infinitary behavior of the * operator. 

The third set of axioms accounts for the DLP modalities Perm and FreePerm. 
Axioms for Perm and FreePerm: 

I 1 

PI. Perm{a)ip => {a)ip 

P2. Perm(o;; (3)ip Perm (a) Perm (/?)(/? 

P3. Perm(o; U !3)ip Perm(a)<^ V Perm(/3)(/? 

P4. Perm(o;*)i^ (p V Perm(o;; a*)ip 

PS. Perm(o;)(i^ V t/>) Pem{a)ip V Perm(o;)'!/) 

P6. ip A -’(Perm(a;*)-'((/5 =:> ^Perm(a)-iV3)) ^Perm(a*)-i<^ 

P7. =:> FreePerm(a)(/? 

P8. FreePerm(a; (i)ip FreePerm(o;)(/3)(p A [a]FreePerm(/3)<p 
P9. FreePerm(a U l3)ip FreePerm («)(/? A FreePerm(/3)<^ 

PIO. FreePerm(a*)(^ FreePerm(o;; a*)ip 

Pll. FreePerm (a) (<p V t/>) FreePerm(a)(p V FreePerm(a)t/> 

P12. [a*]FreePerm(a)(a*)v3 FreePerm(a*)(/? 

P13. FreePerm(a)<p A {a)ip Pem{a)ip 

P14. Perm(o;)(/? A [a]{ip ^ ip) ^ Perm{a)ip 

PIS. FreePerm(a)'0 A \a]{ip ^ ip) ^ FreePerm(a)<^ 

I I 

These axioms are due to van der Meyden [ 21 ]. Axioms P1-P6 and P7-P12 correspond 
closely to axioms A1-A6, indicating the tight relationship between the PDL and DLP 
modalities. (This relationship is further clarified by Csirmaz [ 3 ].) Note that axiom P6 
uses the dual of Pem{a)ip, written as -^Pem{a)^ip. Axioms P13-P1S capture the 
interactions between the different modalities. 

The fourth set of axioms concerns the behavior of the Grant operator. 

Axioms for Grant: 

I 1 

Gl. Grant(pi, P 2 )(<F A ?/>) <t4> Grant(pi, /92)<F A Grant(pi, p 2 )V’ 

G 2 . Grant(pi, P 2 )“'<F ~’Grant(/9i, p 2 )<F 

G3. Grant(pi, p2)(a)v3 (a)Grant(pi, /92)<F 

G4. Grant(pi, p 2 )Grant(p 3 , p^)ip <t4> Grant(p 3 , p4)Grant(pi, ^ 2)^3 

GS. From ^ pi and p4 ^ p2 infer Grant(pi, p2)Grant(p3, p4)ip Grant(pi, p2)<F 

G6. Grant(/a(se, p)ip ip 

Gl. Grant(p, /a(se)v3 ip 

G8. Grant(pi, p2)p ^ P for primitive propositions p 
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G9. Grant(pi V p2, P 3 )(f Grant(pi, p3)Grant(p2, P 3 )‘P 
GIO. Grant(pi, p2 V p3)p Grant(pi, /92)Grant(pi, ^3)^3 

Gll.G rant(pi, /92 )(pi A (0)^2) = 4 ^ Grant(/ 9 i, p2)(Perm(a)/92) for primitive actions a 
G12. Grant(pi, /92)Perm(a)(p Grant(pi, p2)Perm(a)Grant(pi, p2)(p 
G13. Grant(pi, /92)FreePerm(a)(^ Grant(pi, p2)Fi'eePerm(a)Grant(pi, /J2)(/3 
G14. From p infer Grant(/ 9 i, p2)<P 

I I 

Axioms G1-G3 capture the behavior of Grant under conjunctions, negations, and 
the PDL modality. Axiom G4 says that the order in which permissions are granted 
is irrelevant. The inference rule G5 allows a permission to be disregarded if it is 
already implied by a permission that was granted earlier in the analysis. Axioms 
G4 and G5 together imply that if pi,p2 are respectively equivalent to p3,pi, then 
Grant(pi, p2)<P ^ Grant(p3, ^4)1^. Axioms G6 through G8 say that an occurrence 
of the Grant operator can be removed, if it clearly doesn’t affect the truth of the for- 
mula. Axioms G9 and GIO capture the fact that in some sense permission grants are 
cumulative. Finally, Axioms Gil through G13 capture the relationship between granting 
permissions and the other permission modalities. 

The fifth set of axioms concerns the behavior of the Revoke operator. 

Axioms for Revoke: 

I 1 

Rl. Revoke(pi, p2)(<P Aip) ^ Re\/oke{pi, p 2 )p A Revoke(pi, ^2)^’ 

R2. Revoke(pi, ^2)““^ ~'Re\/oke{pi, p 2 )p 
R3. Revoke(pi, p2)(a)iF (o;)Revoke(pi, p2)</3 

R4. Revoke(pi, p2)Pevoke(p3, /94 )(/j Revoke(p3, p4)Revoke(pi, p2)‘P 
R5. From p3 ^ pi and p4 ^ p2 infer 

Revoke(pi, /92)Revoke(p3, p 4 )p Revoke(pi, p2)‘P 
R6. Revoke(/aZse, p)p ^ p 
R7. Revoke(p, /aZse)(^ p 

R8. Revoke(pi, P2 )f ^ P for primitive propositions p 

R9. Revoke(pi V p2,P3)p ^ Revoke(pi, p3)Revoke(/92, P3)<P 

RIO. Revoke(pi,p2 V p 3 )p ^ Revoke(pi, p2)Pevoke(pi, ^3)1^ 

Rll. Revoke(pi,p2)(pi A [a]p2) = 4 " Revoke(pi, p2)(^Perm(a)p2) 

for primitive actions a 

R12. Revoke(pi, p2)Perm(o;)(p Revoke(pi, p2)Perm(a)Revoke(pi, p2)<F 
R13. Revoke(pi, p2)FreePerm(a)(/3 Revoke(pi, /92)FreePerm(a)Revoke(pi, ^2)1^ 
R14. From p infer Revoke(pi, p2)</3 

I I 

These axioms are essentially G1-G14, with Grant replaced by Revoke. The only ex- 
ception is Rll, which says that an action corresponding to a revoked transition is not 
permitted. 

Finally, the last set of axioms capture the interaction between permission grants and 
permission revocations. 
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Interaction Axioms for Grant and Revoke: 

I 1 

11. Grant(pi, /92)Revoke(p3, p^)i^ 

Revoke(p3, /j4)Grant(pi, p2 A -•/94)Grant(pi A -■p3, p2)ip 

12. Revoke(/9i, p2)Grant(p3, p4)(/? 

Grant(/93,p4)Revoke(pi,p2 A -•/94)Revoke(pi A -•p 3 ,p 2 )(fi 

I I 

Roughly speaking, axiom II says that granting some permissions Pi and then revoking 
other permissions P 2 is equivalent to first revoking the permissions P 2 , and then granting 
the permissions in Pi that would not have been revoked by P2- A similar explanation 
applies to 12. Note that it follows from II and G6-G7 that if pi ^ p^ and p2 P4 
are tautologies, then Grant(pi, p2)Revoke(p3, ^4)1^ is equivalent to Revoke(p3, p4)(/?. 
In other words, granting permissions that are immediately revoked is equivalent to never 
granting the permissions at all. Again, a similar argument holds for axiom 12. 

As discussed at the end of Section 2 , a prerequisite for the soundness of these ax- 
ioms is that a primitive action must be mapped to single transition. More specifically, the 
soundness of Axioms GIl and Rll depend on this restriction. To see why, consider the 
(violating) structure M that has three states si, S2, S3, with 7r(p) = {si}, 7 t((j) = {53}, 
r(a) = {S1S2}, t(6) = {S2S3}, t(c) = {S1S3}, and T{d) = {S1S2S3}. Clearly, 
(M, si,0) \= Grant(p, g)(p A {d)q) holds. However, we do not have (M, si,0) \= 
Grant(p, g)Perm((i)(7, since under the policy set 0P>'^, the sequence S1S2S3 is red. There- 
fore, axiom GlI cannot be sound, unless every primitive action is mapped to a single 
transition. A similar argument holds for axiom Rll. 

Theorem 3.1. The axiomatization AX is sound and complete for DTP^yn with respect 
to Kripke structures. 

To establish completeness, it is possible, although not at all immediate, to use an approach 
similar to that used by Kozen and Parikh [ 1 5 ] to prove completeness of the axiomatization 
for PDL. (This approach was also used by van der Meyden [ 21 ] to prove completeness 
of DLP.) We first note that completeness is equivalent to the statement that all consistent 
formulas are satisfiable. Recall that a formula p is consistent if the formula -xp is not 
provable and a formula p is satisfiable if there exists a Kripke structure M, a state s of 
that structure, and a policy P such that (M, s,P) \= p. So, we can prove completeness 
if for any consistent formula p, we can construct a model that satisfies it. We construct 
this model for an arbitrary, consistent formula p, by taking sets of subformulas of p to 
be states. Details are given in the full paper. 



4 Complexity 

Having described a sound and complete axiomatization for our logic, we now turn to the 
complexity of the satisfiability problem. (Recall that the satisfiability problem asks if 
there is a a Kripke structure M, a state s in M, and a policy P such that (M, s, P) |= p, 
for a given formula p.) Because our logic extends PDL, our decision problem is at least 
as difficult as PDL’s. Therefore, our decision problem has an EXPTIME lowerbound 

[5]. 
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To find an upperbound, we first prove a small model theorem that intuitively says that 
if a formula ip is satisfiable, then it is satisfiable in a Kripke structure with a comparatively 
small number of states. Define the length \ip\ of a formula to be the number of symbols 
required to write p. 

Theorem 4.1. If (p is satisfiable, then (M, s, P) \= p for a Kripke structure M = 
(S', 7t,t) with |S| < . 

The following theorem shows that checking that a formula is satisfied in a particular 
finite model can be done efficiently. 

Theorem 4.2. There is an algorithm that decides (M, s, P) \= p in time polynomial in 
\M\, |P| and \p\. 

Using Theorems 4.1 and 4.2, we can establish the following upperbound. 

Theorem 4.3. The decision problem for DLP<jyn is in NEXPTIME. 

Theorem 4.3 establishes that DLPjyn is decidable. The theorem also implies a (pre- 
viously unknown) bound on the decision problem of DTP. This result is not immediately 
apparent, because the DLP models are more general than ours; they allow primitive ac- 
tions to he mapped to sequences of transitions. However, it is a consequence of van der 
Meyden’s completeness proof that any satisfiable DLP formula is satisfiable in a model 
where primitive actions are mapped to single transitions. It follows from Theorem 4.3 
that DLP is in NEXPTIME. We conjecture that the decision problem for DLPdyn is in 
fact EXPTIME-complete, just like PDL [9]. It should be possible to adapt the deter- 
ministic single exponential time algorithm given by Pratt [26], but this is left as future 
work. 

5 Related Work 

To the best of our knowledge, DLPdyn is the first language explicitly designed to answer 
the kind of questions we discussed in the introduction. There is, however, a significant 
body of work on reasoning about permissions. There are fundamentally two approaches, 
propositional modal logics and first-order logics. 

Building on the work of von Wright [30] , many people have based logics for reasoning 
about permissions on propositional modal logic [10]. These logics, which are typically 
called deontic logics, interpret permission via an operator Pp, which can be read ‘p 
is permitted’, or ‘it is permitted to make p true’. Unfortunately, a naive treatment of 
permission as a modality leads to a number of counterintuitive results. Von Wright [31] 
recognized that many paradoxes arise because the logics do not distinguish between 
propositions and actions. More precisely, many paradoxes are a consequence of applying 
permissions to formulas, instead of just actions. 

One of the first languages to restrict permissions to actions is due to Meyer [22]. 
Meyer’s logic is PDL with additional modalities to reason about permissions. To interpret 
permissions, he essentially divides the states in the model of the system into good states 
and bad states; an action is permitted if it leads to a good state. Most of the paradoxes 
of deontic logic disappear in this setting. 
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As discussed by van der Meyden [21], however, some paradoxes remain. In particular, 
reasoning about the permission of sequential actions is problematic, because the logic 
assigns permissions only to states. For example, suppose that no one is allowed to murder 
the president and, if someone does, then that person goes to jail. If the state in which 
the murderer goes to jail is a good state, which intuitively it should be, then Meyer’s 
logic says that anyone may murder the president, providing that he or she then goes to 
jail. But no one may murder the president, so this is a paradoxical situation. Another 
consequence of assigning permissions to states is that the logic cannot capture subtle 
distinctions in the use of the term ‘permission’. In particular, the logic cannot distinguish 
between the two types of permissions captured in our logic by the DLP operators Perm 
and FreePerm. To address these issues, van der Meyden designed the logic DLP. 

Clearly, our work is an extension of DLP. One way to view the relationship between 
DLPdyn and DLP is that it is akin to the relationship between propositional logic and 
PDL. Propositional logic is used to reason about a single state, while PDL extends the 
logic to reason about multiple states and the transition between them. Similarly, DLP 
is used to reason about a single set of allowed transitions, while DLPdyn extends DLP 
to reason about multiple sets of allowed transitions, using the operators Grant(pi, /92)<F 
and Revoke(pi, p 2 )'P to move from set to set. 

Although we base our logic on DLP, there is a difference between our models and the 
ones used by DLP. Specihcally, DLP allows primitive actions to be assigned to sequences 
of transitions; we impose the restriction that each primitive action is mapped to a single 
transition. This restriction is necessary for the axiomatization that we give in Section 3. 

The second class of languages for reasoning about permissions are hrst-order log- 
ics. In the Computer Science community, these languages are typically an extension 
of Datalog [6], which is a tractable fragment of first-order logic. Approaches based 
on Datalog include [4,17,14,16,18]. In these languages, the environment, which essen- 
tially corresponds to our application models, is a conjunction of formulas of the form 
Vxi, . . . , Xn-{h A ... A Ik Ik+i), where each k is a literal, Ik+i is a positive (i.e., 
non-negated) literal, and depending on the particular language, other restrictions might 
apply. It is not clear whether or not our models can be encoded in their environments, 
because of the restrictions on negation. (This also holds for approaches that are not based 
on Datalog, such as [8].) 

Although the first-order approaches might not be able to capture our models, they do 
support variables. This allows their specifications to be more concise. It is interesting to 
note, however, that XrML [2], which is a language that has recieved widespread support 
in industry, assumes the domain of interest is hnite. ^ In other words, for any formula in 
the logic, there is an admittedly longer formula that is variable-free. Thus, in practice, it 
seems likely that variable-free languages are sufficiently expressive. 

Finally, we should note that both the modal approaches and the first-order languages 
typically assume that any action that is not permitted is forbidden. However, there are 
exceptions [12,1,13,8]. By allowing actions to be neither permitted nor forbidden, we 
can sensibly merge policies that govern the same system. In future work, we would like 
to explore these possibilities within our framework. 

* The XrML authorization algorithm, which determines if a permission follows from a set of 
XrML policies, terminates only for finite domains. 
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6 Conclusion 

In this paper, we identify a class of problems that are of practical interest and that have 
not been addressed previously in the literature. Essentially, these problems arise when 
there is not a single, fixed set of policies. Examples include comparing different policy 
sets and understanding the consequences of an evolving policy set. 

Not only have we found an interesting class of problems, our work shows that the 
approaches for reasoning about single sets can be adapted to handle the new issues. We 
were able to extend DLP to create a logic in which to compare policy sets and reason 
about changing policies. To the best of our knowledge, ours is the first logic designed 
explicitly for this purpose. By modifying existing proof techniques, we were able to 
obtain a sound and complete axiomatization for the logic. Moreover, despite the added 
expressiveness, the decision problem remains decidable. 

As illustrated by Examples 2.1, 2.2, and 2.3, a key problem is verifying that a model 
satisfies a given formula. Theorem 4.2 provides a general bound on the complexity of 
the model checking problem. It would be interesting to investigate efficient techniques 
to perform this verification. 
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Abstract. Using a probabilistic polynomial-time process calculus de- 
signed for specifying security properties as observational equivalences, 
we develop a form of bisimulation that justifies an equational proof sys- 
tem. This proof system is sufficiently powerful to derive the semantic se- 
curity of El Gamal encryption from the Decision Difhe- Heilman (DDH) 
assumption. The proof system can also derive the converse: if El Gamal 
is secure, then DDH holds. While these are not new cryptographic re- 
sults, these example proofs show the power of probabilistic bisimulation 
and equational reasoning for protocol security. 



1 Introduction 

While so-called Dolev-Yao-style [9,23] models that use nondeterminism and ide- 
alized cryptography have proven useful {e.g., [6,27,24,10]), combining nondeter- 
minism with bit-level representation of encryption keys renders any encryption 
function insecure [18]. We therefore explore a probabilistic polynomial-time pro- 
cess calculus framework [18,22,19] for protocol analysis that is formal, yet close 
to the mathematical setting of modern cryptography and other recent work on 
compositional reasoning at a cryptographic level [7,25], In this approach, we may 
reason about the security of protocols by quantifying over all “adversarial” pro- 
cesses definable in the language. In addition, the probabilistic process language 
lets us analyze probabilistic encryption functions, such as El Gamal [11], and 
protocols, using security requirements that have become accepted in the field of 
cryptography. 

In the probabilistic polynomial-time calculus, security properties are speci- 
fied as asymptotic observational equivalences. Specifically, V = Q means that 
for any context C[ ], the behavior of process C[P] is asymptotically computa- 
tionally indistinguishable from the behavior of process C[Q]. If P is a protocol of 
interest, and Q is an idealized form of the process that uses private channels to 
guarantee authentication and secrecy, then V = Q is a, succinct way of asserting 
that P is secure. We have found this approach, also used in [2,7,25], effective 
not only for specifying security properties of common network protocols, but 
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also for stating common cryptographic assumptions. For this reason, we believe 
it is possible to prove protocol security from cryptographic assumptions using 
equational reasoning. The possibility is realized in this paper by proving security 
of El Gamal encryption from the standard Decision Diflie-Hellman assumption, 
and conversely. 

Several advances over our previous efforts [18,22,19] were needed to make 
these formal equational proofs possible. First, we have refined the operational 
semantics of our process calculus. Most importantly, we define protocol execu- 
tion with respect to any probabilistic scheduler that runs in polynomial time and 
operates uniformly over certain kinds of choices (to avoid unrealistic collusion 
between the scheduler and a protocol attacker), and we give priority to private 
(“silent”) actions by executing private actions simultaneously in parallel before 
public communication. Second, we develop a form of probabilistic bisimulation 
that, while not a complete characterization of asymptotic observational equiv- 
alence, gives a tractable approximation. Third, we present an equational proof 
system and prove its soundness using bisimulation. The power of this equational 
proof system is shown by proving the semantic security of El Gamal encryption 
from the Decision Difhe-Hellman assumption. 

Previous literature on probabilistic process calculi includes, e.g., [20,28]. The 
closest technical precursor of our process calculus is [2] , which uses observational 
equivalence and channel abstraction but does not involve probability or compu- 
tational complexity bounds; subsequent related work is cited in [1], for example. 
Prior work on GSP and security protocols, e.g., [27], also uses process calculus 
and security specifications in the form of equivalence or related approximation 
orderings on processes. An important parallel effort with goals similar to our 
work, the paradigm of “universally composable security”, can be found in [7]. 
Some connections between the probabilistic polynomial-time process calculus 
and universal composability are discussed in [19]. A full version of the present 
condensed conference paper is in preparation and will be available on the web 
[26]. 

2 The Probabilistic Process Calculus 

We will write F: A x P — >■ [0, 1] for a probabilistic function from X to Y, and 
say that Fis stochastic if Vx G A the finite sum v) equals 1. Given an 

equivalence relation R over the set A, we will write [x]ij for the equivalence class 
of X in A and write (A/i?) for the set of all equivalence classes of A. For a multiset 
A, the equivalence class [x]j^ of x with respect to i? is a multiset consisting of 
all elements equivalent to x under R, each with the same multiplicity in [x]/{ as 
in A. We refer to standard sources such as [3] for a discussion of probabilistic 
poly-time Turing machines and functions. 

2.1 Syntax 

Our probabilistic process calculus consists of a set of terms that do not perform 
any communications, expressions that can communicate with other expressions. 
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and, channels that are used for communication. Let Var he a countable set of 
variable names, Channel a countable set of channel names, and Poly = {q' N — >■ 
N|Va G N: q{a) > 0} the set of positive polynomials in one variable. We note 
that each channel name has a bandwidth polynomial associated with it by a 
function we shall call cr. The security parameter used in cryptographic analysis 
is represented by a distinguished constant n, discussed in more detail further on. 
We use = for syntactic identity. 

We assume the existence of a class of terms O such that: 



1. If 0 is a term with k variables, then there exists a probabilistic Turing ma- 
chine Mg with k inputs and a polynomial qg{xi, . . . ,Xk) such that: 

a) The term d, with oi, . . . , substituted for its k variables, reduces to a 
with probability p if and only if Mg{a \, . . . , au) returns a with probability 
p; and, 

b) For any choice of oi, . . . , Ofc we have that Mg{a \, . . . , ak) halts in time at 
most qe{\ai \,. . . , |afc|). 

2. For each probabilistic poly-time function /: N™ — >■ N, there exists a term 6 
such that Mg computes /. 

One example of such a set of terms is based on a term calculus called OSLR 
studied in [21] (based in turn on [4,16]). Expressions of the probabilistic process 
calculus (PPG) are given by the following grammar: 



V ::= 0 

MV) 

in [c,x] .{V) 
out [c, T] ,{V) 
[Ti=T2].{V) 
{V\V) 
Unyir) 



(termination) 
(private channel) 
(input) 
(output) 
(match) 
(parallel composition) 
(bounded replication) 



Intuitively 0 is the zero expression having no transitions. An input operator 
in[c,x] .V waits until it receives a value on the channel c and then substitutes 
that value for the variable x G Var in V. Similarly, an output out [c,T].P 
evaluates the term T, transmits that value on the channel c, and then proceeds 
with V. Channel names that appear in an input or an output operation can 
be either public or private, with a channel being private if it is bound by a v- 
operator and public otherwise. For convenience we will a-rename channel names 
so that they are all distinct. The match operator evaluates the expression bound 
to it if and only if both the terms making up the match evaluate to the same 
atom. Otherwise the entire match expression evaluates to the zero process. We 
assume that the probabilistic parallel composition operator | associates to the 
left. The bounded replication operator has bound determined by the polynomial 
q G Poly affixed as a subscript. The expression !g(n)-(’P) is expanded to the g(n)- 
fold parallel composition V \ ■ ■ ■ \ V before evaluation. We will write out [c,T] 
as an abbreviation for the expression out [c, T\ .(0). 

An expression P generated by this grammar may contain the distinguished 
constant n. Substituting a value drawn from N for n gives rise to processes. In 




Probabilistic Bisimulation and Equivalence for Security Analysis 471 



particular if V is an expression, then the process obtained by substituting i for 
all occurrences of n in P is denoted i.e., = [f/n]P. An expression 

V can be thought to define the set of processes G N}. If we wish to 

denote a process without making the value of the security parameter explicit, 
we will just drop the superscript and write P (for a process obtained from the 
expression P). 

We use Expr for the set of expressions and Proc for the set of all processes. 
We will denote the set of all variable-closed processes by CProc. Let V be an 
open PPG expression and ^ a valuation of the free variables of P in N. Then 
P(^) denotes the result of substituting, for each free variable x, the atom ^{x) 
for all occurrences of x in V. 

A context is an expression with numbered “holes” (indicated by empty square 
brackets [ ]fc). The numerical subscripts serve to uniquely identify the holes. If 
we express protocols as expressions, then we can use contexts to express adver- 
sarial environments in which the protocols execute. As for expressions, it follows 
from the presence of the security parameter n in a context C that we can view 

]fci ■ ■ ■ [ ]fcm defining the set ■ • • [ ]fc„ | i G N}. We remind the 

reader that the security parameter appears in the polynomial bounding repli- 
cation operators, in terms, and in the bandwidth polynomials associated with 
channels. We write Con for the set of all contexts. 



2.2 Operational Semantics 

The evaluation of a variable-closed process proceeds in three steps: reduction, 
selection, and communication. In the reduction step, all unblocked terms and 
matches are evaluated, where a term or match is unblocked if it appears in the 
body P of a process in [c, a;] .V requiring input. 

In the selection step, we use a probabilistic scheduler to select an action to 
perform. Actions include the silent action, t; the input action in(c, a) that reads 
the value a from the channel c into the variable x; the output action out(c, a) 
that places the value a on the channel c; and the simultaneous action a ■ fd 
obtained by using the action product • on a and (3. The observable of an action 
is simply the pair of value and channel name associated with the action. We will 
say that two actions are of the same type, written a ^ (3, when the observables 
generated by them are the same. A scheduler is a stochastic probabilistic poly- 
time function that probabilistically maps a set of actions to type of action and 
always selects the silent (r) type when the input set of actions contains a silent 
action. Let S be the set of all schedulers. 

In the communication step, we pick an action of the chosen type uniformly 
at random from the set of actions of that type that the process can take. Having 
picked the particular action, we then perform the associated substitution of 
values for variables. In doing this, we take care to truncate the value according 
to the bandwidth polynomials associated with the channel name. By truncating 
the values substituted, we ensure that we never write down values that are 
exponentially long. 
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We call this three-stage procedure an evaluation step; and evaluation pro- 
ceeds in evaluation steps until the set of schedulable actions becomes empty. 

Theorem 1. Let P he a process. Then the evaluation of P can he performed in 
time polynomial in the security parameter. 

The proof proceeds by constructing a machine that evaluates P. Obtaining the 
required time-bound relies on terms and schedulers both being probabilistic poly- 
time Turing machines. We can also prove the converse of this theorem, omitted 
due to space constraints. 

3 Probabilistic Bisimulation 

In this section we develop a form of weak prohahilistic hisimulation, or more 
simply prohahilistic hisimulation, adapted from [28], which studies various ap- 
proaches to probabilistic bisimulation and provides an elegant treatment. 

Our calculus and intended application to security protocols presents several 
challenges that are absent from [28]. Silent actions are made simultaneous so 
as to avoid the [-operator changing the probability of silent actions. Communi- 
cations across public channels yield compound public (not silent) actions since 
protocol communications are subject to interference by an adversary. As a result, 
the semantics of our [-operator cannot be easily reduced to the semantics given 
to standard nondeterministic composition, probabilistic summation, or proba- 
bilistic product. 

We refer to a sequence of actions as a path and a sequence of silent actions 
terminated by an a-step as an a-path. If a is public, then an a-path must have 
length > 1; if Of is a silent action, then an a-path can have length 0. A zero- length 
path is called an empty path and a r-path is called a silent path. 

Definition 2. Let Paths{P,a,iK) he the set of a-paths from P to some process 
in 91 that are minimal with respect to 91, i.e., the a-paths that are not proper 
extensions of some other a-path into 91. For tt G Paths{P,a,T{), Proh\TT,S\ 
denotes the prohahility of the process P taking the path tt under the scheduler S 
and is formally defined in [26]. 

We will reason about processes using a cumulative prohahility distribution func- 
tion (cPDF). Intuitively, given a scheduler S, the cPDF ^(P, a,9t. S') measures 
the total probability that the process P can take an a-path under the scheduler 
S to reach a process in the set 91. For details we refer the reader to [26] . 

Definition 3. The cPDF p,: CProc x Act x 2^’’°''' x S — >■ [0, 1] is defined hy 

pL{P,a,2f{, S) = Proh\rT,S\ (1) 

7rGPai/ts(P,ct,^H) 



Lemma 4. VP G CProciia G Actii'TK C CProcAIS G S : /x(P, a, 91, S) < 1 
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The proof is by induction on the length of a-paths. 

Definition 5. An equivalence relation R C Proc x Proc is a weak probabilistic 
bisimulation, or bisimulation, if (P, Q) € R implies that 

Vil G {Proc/ R) MS G S.Va G Act : fi{P, a,ii, S) = fi{Q,a,ii, S) (2) 

Two processes P and Q are bisimulation equivalent (denoted P ~ Q) if there 
exists a bisimulation R such that {P,Q) G R. It immediately follows that ~ = 
1J{P| R is a bisimulation}. We extend bisimulation to all processes by stipulating 
that P,Q € Proc are bisimilar iff they are bisimilar after any substitution of 
atoms for their free variables. We extend bisimulation equivalence to expressions 
by stipulating that P, Q G Expr are bisimilar Zj(f Vi G N : P""*"® ~ . 

As a traditional sanity check, we can show that ~ is the largest bisimulation 
over Proc using a fixed-point argument as in [20] . 

Theorem 6. yP,Q G Proc.^Cl ] G Con: P~Q C[P\ ~ C[Q\ 

As in [28] , the proof uses the cumulative probability distribution function /i in- 
stead of reasoning directly about the underlying transitions. The proof is struc- 
tured around two inductions: one on the maximum number of free variables in 
C[P] and C[Q] and another on the structure of processes. For j we show that 
fj,{P 1 Q, a, IHi 1 9 ^ 2 , -S') = 13, ^i,S) ■ p,{P, 7 , IH, S) by exploiting the 

fact that P ~ Q implies that V94 G {Proc/~) : fj,{P, r, Dd, S) = fJ.{Q, r, 9d, S). For 
V we exploit the fact that a silent action consists of simultaneously perform- 
ing every concrete action (an action consisting of an input and output on the 
same channel and transmitting the same value) on a private channel that can 
go without interfering with the other private actions. 

4 Asymptotic Observational Equivalence 

4.1 Definition of Observational Equivalence 

Intuitively, we wish to consider two closed expressions equivalent if they behave 
indistinguishably in the presence of any adversary, where we represent an ad- 
versary by a context and a scheduler. We are most interested in protocols that 
use cryptographic primitives, and cryptographic primitives generally depend on 
some security parameter, such as the length of the encryption key. The purpose 
of the security parameter, as opposed to a fixed key length, is that it can be 
made as large as needed for any desired degree of security. Therefore, while the 
adversary has control over the context (surrounding environment) and scheduler, 
representing a degree of “good luck”, we only consider the adversary successful 
if it can measure an asymptotically significant difference between processes as 
the security parameter increases. 

Definition 7. An observable o is a pair (c, a) G Channel x N. Let Obs be the 
set of all observables. 
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If P G Proc is a blocked process and o = (c, a) is an observable, then P 
generates o under scheduler S, written P'^s o, if an action equivalent to in(c, a)- 
out(c, a) is selected by S and performed during the course of the evaluation of 
P. “Partial actions,” consisting of an input action without a matching output, 
or an output without a matching input, appear in the structured operational 
semantics and are used to prove compositionality of These partial actions are 
not primitive observables, but can be observed in a parallel context that provides 
the dual action. We only consider concrete actions (with an input matched by 
an output) here and write AcP for the set of concrete actions. 

The probability that P generates an observable o under the scheduler S is the 
probability that Pcan take a (in(c, a) • out(c, a))-path, under S, plus the prob- 
ability that P can, under S, take an a-path (with a concrete but not equivalent 
to in(c, a) ■ out(c, a)) to some process R times the probability that R generates o 
under S. If a path produces the observable o multiple times, then its contribution 
to Prob[P^S o] only extends to the first occurrence of that observable along 
that path. Since we only care about whether a path produces an observable, 
not the number of times that it does so, we only count to the first observable 
generated by that path. An easy induction shows that Prob[P '^5 o] < 1. 

We envision process evaluation as a proceeding in stages where each stage 
is determined by an input communicating with an output. While probabilistic 
bisimulation allowed partial actions (inputs and outputs communicating with 
the environment), actual evaluation proceeds via concrete actions (input-output 
pairs). Hence, we define observable behavior with respect to just those schedulers 
that always select concrete actions. 

Definition 8. A perceptible scheduler is a scheduler that only schedules private 
actions and concrete actions. We write SP for the set of perceptible schedulers. 

Let Q be the set of positive polynomials. Let U be the set of valuations of 
free variables. If ct G P is a valuation, then we denote the result of performing 
the valuation ct on P by a(P). 

Definition 9 (observational equivalence). LetP and Q be two expressions. 
We will say that V = Q, or that they are observationally equivalent, if: 

yq{y) G Q.Vcr G if.VC) ] G Con.Vo G Obs.yS G SP.di^ G N.Vz > io'. 

|Pro&[a(C'“^*[^"^*]) o] - Pro&[a(C'“^MQ"^1) o] | < ^ (3) 

Theorem 10. = is a congruence. 

Using Theorem 6 and the definition of we can prove 

Theorem 11. P ~ Q V = Q. 

4.2 A Proof System 

A proof system for proving asymptotic observational equivalence is given in 
Figure 1. The soundness of this proof system is established in three ways. Axioms 
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V\Q-Q\V 

o\r^r 

{v\Q)\n^v\{Q\n) 
Pi — P2, Qi — Q2 
Pi I Qi — P2 I Q2 



(PI) 

(P2) 

(P3) 

(P4) 



c ^ Channel{P),x 0 FreeVars(V) 

V ~ i 2 c(out [c, T] I in [c, x] .V) 

C[out [c,T]] is scheduler-insensitive, 
c ^ Channel{C[Q]) , Puhlic{C[out [c,T]]) = {c} 
3Tc : out [c, Tc] = C[out [c, T]] 

V has no public channels 



(NUl) 



(NU2) 

(ZER) 



V = Q,C[ ] € Com 
C[V] ^ C[Q] 
r = Q,Q~n 
p^n 
P~Q 
Q^P 



(CON) 

(TRN) 

(SYM) 



ct(c) = a{d) 

m{P) = !2d(p'‘*/"') 

a{c) = a{d), 

d 0 Channel {P^Q),P = Q 

-p[d/c] ^ g[d/c] 



(Rl) 



(R2) 



/t and fu are computationally indistinguishable 
out [c, T] = out [c, U] 

Vi € [1, fc] : out \ci,Ti] = out [a, Ui] 
out [d, V{Ti,..., Tk)] = out [d, l/(t/i, . . . , C/fc)] 

Vai, . . . : out [ci, Ui{ai,. . . , at,)] = out [ci, Vi(ai, Ufe)] ,i G {l,m} 

EE(C[0Ut [Cl, Pl(a;i, . . .,Xk])] ■ ■ ■ [out [Cm, Um{Xl, . . . ,Xi;])]) = 

E’E(C[0Ut [Cl, Vl(a:i, . . . , Xfc])] • • ■ [out [Cm, Vm{xi,. . . ,Xfc])]) = 

{xi} 

in[d,a:i] .C[out [ci,17i(a;i , . . . ,Xk)]] ■ ■ ■ [out [Cm,Um{xi, . . . ,Xk)]] = 

in \d,Xi] .C[out [ci, VL(a;i, . . .,Xk)]] ■ ■ ■ [out [cm, 14i(a:i, . . . , Xfc)]] 



(EQl) 

(EQ2) 



(PUL) 



Fig. 1. A Reasoning System for PPG 
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such as PI, NU2, etc., and certain structural inference rules like P4 are justified by 
an application of Theorem 11. The soundness of rules CON, TRN, and, SYM follow 
from the congruence properties of =. The three rules EQl, EQ2, and PUL are 
justified by reasoning directly about asymptotic equivalences. Detailed soundness 
arguments are given in [26]. We now continue with comments on selected rules. 

A scheduler-insensitive process family is one in which the choice of scheduler 
does not matter i.e., a process family for which at any evaluation-step only 
one kind of action can possibly be taken. Rule NU2 states that if you have a 
scheduler-insensitive process family with only one output on a public channel, 
then the entire process family can be written as a single term placed in an 
output on the same channel. Essentially, this rule states the silent transitions are 
probabilistically invisible, a property that we were not able to achieve in earlier 
semantics for our calculus. The first of the two rules dealing with renaming 
channels, R1 states that one can arbitrarily rename private channels (as long 
as bandwidths are respected). In this rule, is taken to mean the closed 

expression obtained by replacing the channel name c with the channel name d 
(we define a similar notation for processes). 

The second rule regarding renaming, R2, allows us to rename public channels 
to a name that is not currently in use by the expression. There is an additional 
technical restriction that ensures that the bandwidth associated with the new 
name is as big as the bandwidth associated with the old name. 

The rule PUL asserts that if two functions /y: x N — >■ [0, 1] and gu'^'^'x 

N — >■ [0, 1] induce almost the same distribution on outputs, then we can “pull 
out” one of the arguments into an output. 

5 Cryptographic Applications 

Our asymptotic notion of observational equivalence between probabilistic poly- 
time processes allows us to express indistinguishability by polynomial-time sta- 
tistical tests, a standard way of characterizing cryptographically strong pseudo- 
random number generators [29,12]. In what follows, we will denote an element 
X chosen uniformly at random from the set X hy x X. 

Throughout this section we adopt a uniform-complexity model of the adver- 
sary, see [13] Ch. 5. 

5.1 Computational Indistinguishability 

Definition 12 (function ensemble [29,12]). A function ensemble / is an 
indexed family of functions {fi : Ai — >■ A function ensemble f : Ai ^ Bi 

is uniform if there exists a single Turing machine M that computes f for all 
values of i i.e., M{i,x) = fi(x). A uniform function ensemble f \ Ai ^ Bi is 
poly-time if there exists a polynomial q and a single Turing machine M such that 
M{i,x) computes fi{x) in time at most yOz], ]x|). A uniform function ensemble 
f : Ai ^ Bi is probabilistic poly-time if fi is a probabilistic poly-time function. 
A poly-time statistical test A is the {0, l}-valued probabilistic poly-time function 
ensemble {Ai'. {0, {q, 1}}. 
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The notion of computational indistinguishability is central to cryptography; 
[12], in particular, has an insightful discussion. 

Definition 13 (computational indistinguishability [29,12]). Let q{x) be a 
positive polynomial. A uniform probabilistic poly-time function ensemble /:{}—>■ 
{0, !}'(-) is computationally indistinguishable from a uniform probabilistic poly- 
time function ensemble (/:{}—>■ {0, just when for all poly-time statistical 

tests A we have: 

yq{x).3io.'ii > io: \Prob[A^iM)) = “ 1 ”] - Prob[A^{g^{)) = “1”] | < ^ (4) 



Theorem 14. Let /: {} — f {0, (Vx € N: l{x) > k{x)) be a uniform prob- 
abilistic poly-time function ensemble. Let (?:{}—>■ {0, be another uniform 
probabilistic poly-time function ensemble. Let T = out [c,/] and Q = out [c,g\. 
Then, f is computationally indistinguishable from g if and only if T =Q. 

Assume that / is not computationally indistinguishable from g but that T = 
Q. Then there exists a test A distinguishing / and g. But then the context 
[ ] I in[c,x] .out [d, A(x)] will distinguish T from Q. Similarly, assume that / 
is computationally indistinguishable from g but that T 'A Q ■ Then there exists 
a context C[ ] distinguishing T ^ Q on the basis of the observable o under 
scheduler S. We construct a test A as follows. To evaluate A on the value a we 
evaluate, under S, the expression, C[out[c,a]] and return “1” if o is generated 
and “0” otherwise. Clearly, A will distinguish / from g. 

We can immediately obtain, as a corollary to Theorem 14, the result from 
[22] showing that pseudorandom number generators can be represented in PPG. 

5.2 Semantic Security 

Semantic security is an important cryptographic property due to [15]. We use a 
definition for uniform complexity based on [13,14]. We begin by summarizing 
the definition of a cryptosystem that can be found in full in [13] or [14], for 
example. 

Definition 15. [8,13,14] A public-key encryption scheme or, more simply, an 
encryption scheme is a triple (G, E, D) comprising a probabilistic poly-time key- 
generation algorithm G that produces a key pair from input 1^ (the security 
parameter written in unary), probabilistic poly-time encryption algorithm E, and 
a probabilistic poly-time decryption algorithm D. 

Intuitively, an encryption scheme is semantically secure if, given a ciphertext, 
no polynomially-bounded adversary can reliably compute information about the 
associated plaintext. Semantic security can also be stated using indistinguisha- 
bility: intuitively, it is infeasible for any adversary to distinguish between the 
encryptions of any two messages, even when it chooses the messages. For our 
purposes it is convenient to work with security in the sense of indistinguishabil- 
ity; we follow [14]. 




478 



A. Ramanathan et al. 



Definition 16. An encryption scheme {G, E, D) is indistinguishably secure if 
for all probabilistic poly-time Turing machines F, A, for every polynomial q, for 
sufficiently large k, and for all m: 



Pro&[A(l^, e, (mo, mi), c) = m| c G E{e, mo)] — 

Prob[A{l^,e, (mo, mi), c) = m| c G E{e, mi)] | < 



1 

q{k) 



( 5 ) 



with {mo, mi) chosen probabilistically by running 

In words, it is impossible to efficiently generate two messages (using F) such 
that an attack A can reliably distinguish between their encryptions. This defini- 
tion refiects adaptive chosen plaintext semantic security since the adversary, in 
possession of the encryption key, can generate and encrypt a polynomial number 
of messages. The equivalence of security in the sense of indistinguishability and 
semantic security is well known in cryptographic circles; [13] Ch. 5 has a detailed 
treatment of both directions. 

Encoding the statement of indistinguishable encryptions as an observational 
equivalence in PPG is straightforward. In what follows, we will use the nota- 
tion in [c, (xi, . . . , Xk)] to mean that the input obtained on channel c should be 
treated as a /c-tuple whose ith element is named Xi. 



Definition 17. Let (G,E,D) be an encryption scheme. Then (G,E,D) is an 
observationally indistinguishable encryption scheme iff 



Vc{o'o.'t [c,pfcey(G(l"))] | in [c, key] .out [pub, {key, 1")] .in [msg, (mo, mi)] . 

out [challenge, {key, {mo, mi), E{key, mo))]) {CSS) 

is observationally indistinguishable from 



t'c(out [c,pfcey(G(l"))] | in [c, key] .out [pub, {key, 1")] .in [msg, (mo, mi)] . 

out [challenge, {key, {mo, mi), E{key, mi))]) {TZ-SS) 

where pkey takes a private-public key-pair and returns only the public key. 

An examination of the expression CSS shows that it 

1. Generates an encryption-decryption key-pair, 

2. Publishes the security parameter and the public key, 

3. Obtains a message pair (that could be a function of the security parameter 
and the public key), 

4. Publishes the encryption of the first message, along with the message pair 
and the encryption key. 

Expression TZ-SS is similar, but encrypts the second message. 

Theorem 18. Let (G, E, D) be an encryption scheme. Then, (G, E, D) is se- 
mantically secure iff CSS = TZ-SS. 
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5.3 The Decision DifRe- Heilman Assumption 

The Decision Diffie-Hellman assumption [8] is an assumption about modular 
exponentiation. Our development draws from [5,13]. 

A group family G is a set of finite cyclic groups {Gp} where the index p ranges 
over an infinite set. An instance generator IG{n) takes security parameter n, runs 
in time polynomial in n and returns a random index p as well as a generator g 
of the group Gp. 

Definition 19. A Decision Diffie-Hellman algorithm A for G is a probabilistic 
polynomial time algorithm such that: 

1. Given (p, 5, 5°) the algorithm A reliably decides if c= ab; and, 

2. There exists a non-constant positive polynomial g{-) such that IG{n) = (j>,g) 
implies that \{p,g) \ = G{q{n)). 

The probability is taken over the probability that the instance generator /G(l") 
returns {p,g) given n, random choice of a, b,c in [l,ordGp] and random bits 
used by A. The Decision Diffie-Hellman assumption (DOHA) for G is that no 
Decision Diffie-Hellman algorithm exists. 

This assumption is believed for some group families G, but known to be false 
for others; see [5]. 

Definition 20. The group family G is observationally DDHA-secure if 

out [ch, (p, g, \a,b€R [1, ord Gp]] ^ 

out [ch, (p, g, g°-, | a, 6, c Gr [1, ord Gp]] {VVTLA) 

where the term (p, p, p“, p^, p“^)| a, 6 Gr [l,ordGp] denotes the term that com- 
putes this tuple with a,b chosen uniformly at random from [l,ordGpj. 

The following theorem shows that we can express the DDHA in PPG by an 
observational equivalence. 

Theorem 21. The DDHA holds for the group family G iff G is observationally 
DDHA-secure. 



5.4 The Semantic Security of El Gamal Encryption 

In this section, we use PPG to show semantic security of El Gamal encryption. 

Definition 22. Let ■ denote group multiplieation and = denote group equality. 
An El Gamal encryption scheme is a triple (G, E, D) of probabilistic poly-time 
algorithms such that: 

1. The key generating algorithm G, on input outputs a public key e = 
(p,p,p“) and a private key d = a where (g,p) G LG(l^) and a Gr [l,ordGp]. 
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2. An encryption algorithm E that, on input, e = {p, g, g°") and m outputs 
{g^,m ■ g°'^ mod p) as the ciphertext (where b Gr [l,ord Gp]j. 

3. A decryption algorithm D that, given ciphertext c = {k, c') and decryption 
key d computes d jk^ . To see why this works, we note that k = (/“, c' = 
m • mod p, and d = b for some a, b, m. Then 



kd 



m ■ 



m • g 



ab 



9' 



ah 



= m 



(6) 



Let C-SQ and TZ-EQ be the 
TZ-SS to El Gamal encryption. 



result of instantiating expressions CSS and 



Theorem 23. If the Decision Diffie- Heilman assumption holds for a group fam- 
ily G, then El Gamal encryption using G is semantically secure. Furthermore, 
there is a formal equational proof of the equivalence C-SQ = TZ-SQ stating that 
El Gamal encryption is semantically secure from the equivalence WTLA stating 
that the DDHA holds for G. 



A detailed proof is given in [26]. It starts with the equivalence WHA and 
build up the equivalence C-£Q = TZ-SQ by systematically transforming the term 
that outputs a challenge instance of the DDHA. The proof can be split into 
two distinct parts. In the first part, we use mathematical facts about the group 
operation • in the group Gp to transform the DDHA challenge {p, g, g°“ ,g^ , into 

a tuple {p, g, g‘^,mo,mi, g^ ,mi ■ g°“^) that almost looks like a semantic security 
of El Gamal encryption challenge tuple. The remainder of the proof consists 
of purely structural transformations on the expressions in order to arrive at 
an equivalence between two expressions of the right form. We suggest that, 
in general, proofs in PPG can be separated into a large sequence of structural 
transformations required to achieve the right shape of the protocol, couple with a 
few transformations whose soundness are grounded in mathematical facts about 
the special nature of the problem. These special facts can be represented with 
special hypotheses (like WTLA) and special inference rules. Taken with the 
structural rules of Figure 1 this would allow us to derive El Gamal’s semantic 
security from the DDHA in an entirely mechanical manner. 

Although we give a direct equational proof, we could also have used a back- 
ward proof search (exploiting the mechanizable nature of proofs in PPG) to work 
backward from the protocol to the conditions that the cryptographic primitives 
must satisfy. 



Theorem 24. If El Gamal encryption using the group family G is semanti- 
cally secure, then the Decision Diffie- Heilman assumption holds for G. Further- 
more, there is an equational proof of the equivalence WTLA from the equivalence 
C-SQ = TZ-SQ asserting El Gamal semantic security. 
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Assuming C-£Q = TZ-SQ , we use the rule CON to obtain 

^pub (^msg (j^chaiienge(>C-£iC/ | in [pub , (p, g, ^f®)] .out [msg, (1, p'') | r [l.ordGp]] . 
in [challenge, ((p, g, g“), (mo, mi), (g^ , /))] .out [ddh, (p, g, g“, ))) 



J^pub(j^msg(Ghallenge(i^-^^/ I in [pub, (p, p, p“)] .OUt [msg, (1, g’’) | r [l,ordGp]]. 

in [challenge, ((p, g, p“), (mo, mi), (p^ g^))] .out [ddh, (p, g, p“, p^ p'')] ))) 

Since both the right-hand side and the left-hand side are scheduler-insensitive 
processes, we can use the proof rule NU2 to obtain the equivalence WT-LA. In 
general, this technique is useful in going from long expressions to shorter ones. 

6 Conclusion and Future Directions 

In this paper, we present a set of proof rules for asymptotic observational equiv- 
alence, prove them sound using a form of bisimulation, and apply the proof 
system to simple cryptographic protocols. We show, using only our proof rules, 
that the semantic security of El Gamal encryption may be derived from the De- 
cision Diffie-Hellman (DDH) assumption, and vice versa. Although the definition 
of asymptotic observational equivalence is stated in essentially the same way as 
our first paper on this approach [18], the semantic relation is actually different 
here because we have refined the operational semantics. In particular, our oper- 
ational semantics now allows a broader class of probabilistic schedulers (needed 
to choose between concurrent actions) and we execute private (“silent”) actions 
simultaneously in parallel before public communication. These changes give us 
more equivalences between processes. In comparison with a recent preliminary 
report [22] , here we have introduced a completely new probabilistic bisimulation 
and the congruence proof to work with the new semantics and to take advantage 
of some attractive ideas advanced in [28]. Other prior papers on our process 
calculus [21,19] do not discuss probabilistic bisimulation or the proof rules for 
our calculus. 

The equational proof system presented in Section 4.2 combines relatively 
straightforward congruence and probabilistic parallel composition rules with sev- 
eral rules that equate processes with different syntactic forms. Some rules that 
will seem completely obvious to those familiar with nondeterministic process 
calculus are actually the result of careful work on the operational semantics. For 
example, the associativity of probabilistic parallel composition failed in several 
semantics that initially seemed plausible, and unobservability of communication 
on private channels, which is essential for reasoning about idealized security 
protocols, motivated the current semantics in which private communications are 
scheduled together in parallel in advance of public communication. 

We now appear to have an adequate basis to proceed in two important direc- 
tions. The first is to apply equational specification and reasoning to a number of 
interesting examples, such as commitment and agreement protocols. The other 




482 



A. Ramanathan et al. 



is to develop additional proof rules as needed to carry out these examples. It 
is naturally expected that we will extend the reach of the proof system and 
simplify some of the rules in the process. Although we do not yet know when 
this will arise, we expect that in order to handle some examples of interest, it 
will be necessary to refine the form of bisimulation to support additional equa- 
tional reasoning. It may also be possible to develop model-checking procedures 
along the lines of these already explored for probabilistic temporal logics e.g., 
[17]. In fact, we hope to be able to develop automated reasoning procedures for 
use in a network security setting using techniques developed in our study of the 
properties of our process calculus. 
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Abstract. The pi calculus holds the promise of compile-time checks for 
whether a given program will have the correct interactive behaviour. 
The theory behind such checks is bisimulation. In the synchronons pi 
calculus, it is well-known that the various natural dehnitions of (strong) 
bisimulation yield different relations. In contrast, for the asynchronous pi 
calculus, they collapse to a single relation. We show that the definitions 
transfer naturally from the pi calculus to the explicit fusion calculus 
(a symmetric variant of the synchronous pi calculus), where they also 
collapse, and yield a simpler theory. 

The important property of explicit fusions is that an explicit fusion in 
parallel with a term allows fnsed names to be substituted for each other. 
This means that parallel contexts become as discriminating as arbitrary 
contexts, and that open bisimilarity is more natnral for the explicit fusion 
calculus than it was for the pi calculus. This is significant because ‘open’ 
is the principle behind automated bisimilarity-checkers. 



1 Introduction 

The past few years have seen much interest in the pi calculus, as a foundation 
for a new generation of programming languages for distributed and interactive 
computation: for example, JoCAML [10,8] and Polyphonic C# [3] are inspired 
by the join primitives which in turn arose from the pi calculus; and BPML [6] 
and Microsoft Biztalk [9,25] are business process languages partially inspired by 
the pi calculus. At the syntactic level, the pi calculus consists of simple primitives 
for rendezvous between concurrent processes - simpler than threads, mutexes, 
events and pipes, for instance, and more suited to message-based interactions 
like HTTP. Semantically, the pi calculus holds the promise of behavioural types - 
ie. compile-time verification that a piece of code obeys its intended protocol [7]. 

The standard paradigm for behavioural comparison in the pi calculus is hisim- 
ulation: this is a game where one party tries to make an interaction that the 
other party cannot match, and vice versa. If the two parties can match each 
other exactly, they are said to be bisimilar. Two factors complicate the theory 
of bisimilarity for the pi calculus. First, there are several natural definitions of 
bisimilarity. Second, one of the implementable form of bisimilarity {symbolic or 
ejficient, based on open bisimilarity [24]) loses elegance through its need for 
distinctions, which indicate when particular names can never become equal. 
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Since 1997 there has been interest in symmetric generalisations of the pi cal- 
culus based on fusions [12,22,17]. These feature a symmetric interaction between 
sender and receiver, where the sent name becomes ‘fused’ or equal to the received 
name. (In contrast, pi calculus is asymmetric in that the sent name replaces the 
received name.) The stated motivations for fusion calculi were to simplify the 
basic pi primitives [22], to model graph reduction [12,17], and to model con- 
current constraint programming [26]. In particular, we introduced the explicit 
fusion calculus to simplify action graphs, which lead to Milner’s current work on 
bi-graphs [21]. We implemented explicit fusions in the Fusion Machine [15], and 
they were also adapted by the ongoing Microsoft ‘Highwire’ project. 

The original contribution of this paper is to show how the four standard 
definitions of strong bisimulation congruence, familiar from the pi calculus, can 
be applied without modification to the explicit fusion calculus. (By contrast, 
other fusion calculi have used unfamiliar customised bisimulations). We show 
that the definitions collapse to a single relation in our fusion calculus - even 
though they yield different relations in the pi calculus. The reason for the collapse 
is that distinctions are no longer needed. (The collapsed relation turns out to be 
the same as those yielded by the customised bisimulations used for other fusion 
calculi [17].) 

Bisimulation relations describe when two processes are behaviourally equiv- 
alent. The simplest definition of behavioural equivalence is: ‘two processes are 
equivalent if and only if they have the same behaviour in all contexts.’ But 
the infinite quantification over contexts makes this definition impractical. In- 
stead, one looks for a relation that has a co-inductive definition, and hopes that 
it coincides with the contextual definition. There are actually four key ways 
to define behavioural equivalence for process calculi: depending on whether 
the relation is closed under initial contexts {‘shallow’ congruence) or under 
subsequently-changing contexts as well {reduction-closed congruence)] and or- 
thogonally whether we just observe the channels over which messages are sent 
{barbed) or also record the message and the resulting state {ground). 

In the pi calculus, there is also a co-inductive definition of ground congruence, 
called open bisimulation [24] . It is a comparatively complicated definition, which 
uses distinctions to keep track of those names that must be kept apart (distinct 
from each other) in the bisimulation analysis. For example, in the transition 

{x){ux\P)‘'"-^" P (1) 

the name x can never be substituted by another name; the distinctions keep track 
of this fact. The relationship between the bisimulations for the pi calculus are 
summarised below; interestingly, in the asynchronous variant of the pi calculus, 
the congruences collapse [2]: 

shallow-ground = reduction-closed ground = open 

n 

reduction-closed-barbed 

n 

shallow-barbed 
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We study analogous strong bisimulation relations for the explicit fusion cal- 
culus [17]. Like all fusion calculi, the explicit fusion calculus has symmetric non- 
binding input and output actions. What sets it apart is its simple local reaction 
between input and output actions: 

ux.P I uy.Q x--y \ P \ Q. (2) 

Here the explicit fusion x^y allows x and y to be used interchangeably through- 
out the rest of the term. This ‘interchange’ power of fusions is what simplifies 
open bisimulation. (Also, the locality of this reaction allows us to use the same 
bisimulation definitions as the pi calculus; other fusion calculi use a non-local 
reaction and so need customised versions of bisimulation) . 

Recall that for Transition 1 in the pi calculus, x could never be substituted 
by another name, and so had to be kept distinct. But in the explicit fusion 
calculus, X can be substituted (e.g. by a parallel context x^y \ _), and so dis- 
tinctions are not needed. Without distinctions, open bisimulation degenerates 
to just closure under substitution. And all reduction-closed congruences are by 
nature closed under substitution, and therefore coincide with open bisimulation. 
(Distinctions are ‘not needed’ only because fusions limit expressiveness - they 
make it impossible to generate two names that will always be distinct [4].) 

Here we do not study weak bisimulation congruences. Many have been stud- 
ied by Fu [13,14] for the chi calculus. An interesting open problem is to explore 
such congruences for the explicit fusion calculus, particularly since equators [18] 
in a weak setting are similar to explicit fusions [19,16]. 

Structure. The structure of the paper is as follows. Section 2 presents the ex- 
plicit fusion calculus and compares it to other fusion calculi. Section 3 gives the 
definitions of barbs and labelled transitions for the calculus. Sections 4 and 5 
define strong bisimulation and provide the results: Section 4 concentrates on the 
reduction-closed congruences, and Section 5 relates these to shallow congruence. 
The results in Section 4 were first reported in Wischik’s doctoral dissertation [27]. 

This paper has many definitions - an inherent necessity in the current project, 
of showing how the standard definitions coincide for the explicit fusion calculus. 
We have been parsimonious, using just two intermediate definitions in our proofs. 



i 



'^b 

'^g 

o 

'^g 

e 

'^g 

■'gs 

-'bs 



Barbs (Def. 1), standard from the pi calculus 
Labelled transitions (Def. 2), standard from pi 
‘Efficient’ transitions (Def. 3), used as intermediate in proofs 
Structural transitions (Def. 4), must be customised for each calculus 
Reduction-closed barbed congruence (Def. 6), standard from pi 
Reduction-closed ground congruence (Def. 7), standard from pi 

‘Inside-outside’ bisimulation (Def. 8), used as intermediate in proofs 
Efficient bisimulation (Def. 9), must be customised for each calculus 
Shallow ground congruence (Def. 11), standard from pi 
Shallow barbed congruence (Def. 11), standard from pi 
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2 Explicit Fusion Calculus 

The explicit fusion calculus is defined in Table 1. It is like the pi calculus but 
with two differences: first, it includes explicit fusions x^y, second, it uses non- 
binding input actions ux.P instead of binding input u{x).P. In the explicit fusion 
calculus, reaction between non-binding output and non-binding input gives rise 
to explicit fusions: 



ux.P I uy.Q I R — >■ x^y \ P \ Q \ R. 

The effect of the fusion x^y is global in scope: the x and the y can be used 
interchangeably throughout the entire process, including R. To limit the scope of 
the fusion, we use restriction. For example, restricting x in the above expression 
we obtain 

{x){x--y \ P \ Q\ R) = P{y/x} I Q{y/x} I R{y/x}. 



Explicit fusions allow for the substitutive effects of reaction to be delayed, rather 
than requiring the substitution be performed globally and immediately. This is 
reminiscent of the use of explicit substitutions in the lambda calculus [1], used 
in implementations to delay the substitutive effects of beta reduction. 

We can emulate the pi-calculus reaction ux.P \ u{y).Q — >■ P \ Q{x/y}, by 
binding y in the input action: 



ux.P I (y){uy.Q) 



{y){ux.P I uy.Q) 
{y){x-y \P\Q) 
{y){x--y I P I Q{^/y}) 
{y){x-y) I P I Q{x/y} 

P I Q{^/y}- 



(assuming y ^ in P) 

(substitutive effect of fusion) 
(scope intrusion) 



Alpha-renaming can also be deduced from the laws of structural congruence: 
{x)P = (x)((j/)(a:= 2 /)|P) = {xy){x--y\P{y/x}) = {y){{x){x--y)\P{y/x}) = {y)P{y/x}. 

We remark upon what distinguishes explicit fusions from other fusion calculi. 
They lack explicit fusions, and cannot therefore allow x^y to be left behind after 
reaction. Instead, they allow reaction only in the presence of a restricted x or y - 
so the interchange power of the fusion can be immediately and fully discharged: 



{x){ux.P I uy.Q I R) — >■ P{y/x} \ Q{y/x} \ R{y/x}. 



The reaction is non-local, unlike reaction in the pi calculus and explicit fusion 
calculus. But despite the difference in operational semantics, they end up yield- 
ing the same bisimulation congruence as the explicit fusion calculus [17]. This 
congruence has already been axiomatised for finite processes [22]. We remark 
that the full polyadic reaction rule, using many xs and ys, is more complicated. 
It is also not clear how to implement the rule, since practical implementations 
(eg. Piet, CML) keep no record to distinguish a locally-generated (restricted) 
name from one that is pre-existing (free). 
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Table 1. The explicit fusion calculus 



The terms P and contexts E in the explicit fusion calculus are 



p 


0 


1 x=y 1 ux.P 1 ux.P 1 


{x)P 1 


P|P 


!P 


E 




ux.E 1 ux.E 1 {x)E 


P|P 


P|P 


!P 



The structural congruence on terms = is the smallest equivalence satisfying the 
following axioms, and closed with respect to contexts: 

P\{Q\R) = {P\Q)\R P\Q = Q\P P|0 = 0 \P = P\\P 

{x){P\Q) = {x)P I Q if a; ^ fn(Q) ix){y)P = {y){x)P 

x--y I y^z = X--Z \ y--z x^y = y--x x--x = 0 {x){x--y) = 0 

x--y I P = x=y I P{y/x} 

The reaction relation is the smallest relation — >■ satisfying the following axiom and 
closed with respect to = and contexts: 

ux.P I uy.Q x=y \ P \ Q 

The explicit fusions in a term P generate an equivalence relation Eq(P) on names as 
follows. (Given two eqnivalence classes F and G we write F (B G for their equivalence- 
closed nnion, and F\x for when a; is in a singleton class and all other names are related 
as in P; and I for the identity relation.) 

Eq(a;=i/) = {{x,y),{y,x)} \Jl 
Eq(P|Q) = Eq(P)©Eq(Q) 

Eq((®)P) = Eq(P)\a: 

Eq(!P) = Eq(P) 

We write P h x^y as shorthand for {x, y) G Eq(P). Note that P = Q implies Eq(P) = 
Eq(Q), and that P h x=y if and only if P = x=y \ P. 



Eq{ux.P) = I 
Eq(ual.P) = I 
Eq(0) = I 



Following Milner [20], we will assume well-sorted terms: the sorting prevents 
arity mismatches such a&ux\ uyz. Moreover, fusions only fuse names of the 
same sort. We do not define the sorting system; it is sufficient to note just that 
each name x has a sort S, written x:S, which prevents mismatches. 



3 Barbs and Labelled Transitions 

The two standard ways to characterise the behaviour of a program are through 
observations (barbs) and labelled transitions. We define them here. We in fact 
give three definitions of the labelled transitions: the first is quotiented by = and 
is the same as for the pi calculus; the second introduces a new fusion labelled 
transition and the third uses the fusion transitions to provide a structurally 
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Table 2. Concretions 

Concretions have the form (x){y : P) where the names in x are distinct and contained 
in y, and no a; G x is fused by Eq(P). Let C, D range over concretions. For a concretion 
{x){y : P), we call the context I = (x){y : _) the interface of the concretion, and we 
write the concretion as 7 : P. The names x are bound in this concretion. 

Structural congruence on concretions is defined by: {xi){yi : Pi) = {x2)(jj2 : P2) if 
and only if there exist fresh names x of the same size as xi and X2, and permutations 
TTi, and 7T2 and substitutions ai = {2)/7rix}, CT2 = {®/7r2x} such that Piui = P2(J2 and 
yi<Ji is identical to y2<X2 up to Eq(Pi). 

The operators of restriction, composition and application on concretions are as fol- 
lows. Assume by alpha-renaming that xi and X2 do not intersect, and xi binds no 
name free in P2 and X2 binds no names free in Pi. 

I (x)(y : P) if z € {x} 

(2) {x){y : P) =' < {zx){y : P) if 2 G 

({x){y : (z)P) otherwise 

{xi){yi:Pi) I {x2){y2-P2) =' {xiX2){yiy2 ■ Pi | P2) 

{xi){yi-Pi) @ {x2){y2-P2) = (xiX2)(yi=y2 | Pi | P2) 

We sometimes write just P to stand for the empty concretion ()(0 : P). 

inductive characterisation, which is easier to use in proofs. All three are all 
equivalent (Theorem 5). 

Formally, assume an infinite set Af of names. Let /i range over {u, u : u € A/”}, 
a over {t,u,u : u € Af}, and A over {t, u, u, 7 u=v : u,v € Af}. Write x ^ fj, (or a 
or A) when x does not occur in the label. 

Definition 1 (Barbs) The observation relation between terms and barbs fj,, de- 
noted P i /i, is the smallest relation satisfying 

lix.P } yt P\Qlyt if Pfyt 

{x)P 4, /i if P I yt and x ^ yt 

Q i T if Q = P i fx 

For labelled transitions, we use a symmetric generalisation of Milner’s con- 
cretions [20]. As an example, we write P I : P' to indicate that the term P 
can perform an input or output action /i, sending or receiving the data 7, and 
end up in state P' . Concretions are defined in Table 2. 

Definition 2 (Labelled transitions) The labelled transition relation P 
I : P' is the smallest relation satisfying 

HT.P^T-.P P\Q^C\Q ifP^C 
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ux.P I uy.Q x=y \ P \ Q {x)P (3^)C' if P C and x ^ a 

Q^D if Q = P^C = D 

This definition of labelled transitions is the same as that of the pi calculus. The 
pi calculus also has an inductively defined alternative, but it does not carry over 
to the explicit fusion calculus. Instead, as a first step towards our own customised 
inductive characterisation, we extend our labelled transition system with fusion 
transitions. The fusion transitions are generated from the rule 

ux.P\vy.Q x=y \ P \ Q 

where indicates that the left-hand term contains an input and an output 
on the channels u and v. This means that the term has the potential for a tau 
transition in the context u=v \ _. 

Definition 3 (Extended transitions) The extended labelled transition rela- 
tion P I : P is the smallest relation satisfying 

yT.P-^ex:P P\Q^eC\QifP^eC 

ux.P I uy.Q — x=y \ P \ Q {x)P -^e {x)C if P -^e C and x ^ X 

u x.P I V y.Q 'PPfe x=y \ P \ Q Q ~^e D if Q = P C = D 

We remark that the fusion calculus of Victor and Parrow uses a different fu- 
sion transition. Recall that the fusion calculus requires certain restrictions to be 

present before allowing reaction. It uses the transition ux.P \ uy.Q P \ Q 
to indicate that, if eventually x or y are restricted, then a tau transition will be 
possible. Another alternative fusion label has appeared recently in work by Mil- 
ner [21]. Milner’s fusion label P P' denotes that mv\. is a minimal context 

necessary to allow reaction: that is to say, P P' and {u,v) ^ Eq(P). This 
is part of Milners’ programme to treat transition labels as minimal contexts. It 
would be interesting to give such a labelled transition system for the explicit 
fusion calculus, and compare the resulting bisimulation with the bisimulations 
given here. 

Our fusion transitions allow for an inductive characterisation of labelled tran- 
sitions - that is, one where the left hand side is not quotiented by structural 
congruence. We need to introduce one more feature relating to explicit fusions. 
The point is that u=v \ ux.P undergoes a transition, but it is also struc- 
turally congruent to u=v \ v x.P which undergoes a — ^ transition. Thus, explicit 
fusions in a term can change the labels of the transitions it undergoes. We write 
P h A = A' when P contains sufficient explicit fusions to turn the label A into A'. 
The definition is given below, and generalises that of Table 1 which only applies 
to names. 
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Definition 4 (Structurally-derived transitions) The labelled transition 
system P -^s I '■ P' is the smallest relation satisfying 

ux.P -^s X : P ux.P -^s X : P 

P^sC Q^sD P^sC Q^sD P--^sC 

P I Q C@D P I Q C@D P C 

P^s c Q A, D P c Ph A=A' 

P\Q^sC\Q P\Q^sP\D P^sC 

P I IP^s c P^sC x^X P^sC = D 

\P C {x)P {x)C P^sD 

The rule marked * uses the judgement P \~ X\ = X 2 defined by 

P h lu=v =lv=u 
P \- x = y if{x,y)e Eq(P) 

P h x = y if{x,y)e Eq(P) 

P h lx=y =lu=v if (x,u) G Eq(P) and (y,v) £ Eq(P). 

We remark that the normal — ^ transition is deduced from identity fusion tran- 
sitions The following extended example illustrates both the ability of an 
explicit fusion to rename a label (marked * in the rules), and also the deduction 
of a ——>■ transition: 

u=v I ux.P I vy.Q 
U--V I ux.P I vy.Q 
mv I ux.P I vy.Q 

Finally, we state the equivalence of these various kinds of observations and 
labels. Recall that fi ranges over {«., u}, a ranges over {u,u,t}, and A ranges 
over {m, M, T, ?M=f }. 

Theorem 5 (Labelled transition systems) 

1. P f yi if and only if there exists C such that P C. 

2. P C if and only if P -^e C ■ 

3. P -^e C if and only if P -^s C. 

Proof. Parts 1 and 2 follow from the definitions. Part 3 was given in [17]. □ 



u--v\x--y\P\Q 

(*) 

U--V \x--y\P\Q 

U--V \ x--y\P\Q 
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4 Bisimulation Congruence 

In this section we define the strong reduction-closed congruences for the explicit 
fusion calculus, and show that they are equivalent. The congruences we study 
are: (1) standard barbed and ground bisimulation congruences using labelled 
transitions; (2) the inside- outside bisimulation; and (3) a co-inductive efficient 
characterisation. The inside-outside bisimulation is the key to showing that all 
the congruences are equivalent. (The co-inductive efficient characterisation was 
the only one studied in [17].) 

First we give the definitions of barbed and ground congruence. Barbed con- 
gruence is defined using the reaction relation and the observations (barbs); 
ground congruence depends on the labelled transitions. 

Definition 6 (Barbed congruence) A relation S on terms in the calculus is 
a (strong) harhed bisimulation iff whenever P S Q then 

1. P I ^ if and only if Q f fj, 

2. if P ^ P' then Q ^ Q' such that P' S Q' 

3. if Q ^ Q' then P ^ P' such that P' S Q' . 

We write for the largest barbed bisimulation. A barbed bisimulation S is 
additionally a reduction-closed barbed congruence iff whenever P S Q then, for 
all contexts E, E[P] S E[Q]. We write for the largest reduction-closed barbed 
congruence. 

Definition 7 (Ground congruence) A relations is a (strong) ground bisim- 
ulation iff whenever P S Q then, assuming I binds no names free in P or Q, 

1. P I : P' implies Q / : Q' and P' S Q' and 

2. Q I : Q' implies P I : P' and P' S Q' . 

We write for the largest ground bisimulation. A ground bisimulation S is 
additionally a reduction-closed ground congruence iff whenever P S Q then 
E[P] S E[Q] for all contexts E. We write for the largest reduction-closed 
ground congruence. 

We now define inside- outside bisimulation, which is the natural form of open 
bisimulation for the explicit fusion calculus. To motivate it, we first consider 
some example terms which are ground bisimilar but not ground congruent. 

(1) The terms u=v and 0 are ground bisimilar, since neither undergoes any 
transitions. But consider them inside the context - \ u | u . The first allows a 
reaction; the second does not. Two congruent terms must necessarily contain the 
same explicit fusions inside. 

(2) We use the abbreviation t.R = {u){u \ u.R) with u fresh. Consider the 
programs 



P = \y.x.T.z I lx.y.T.z 
Q = !(w)(y.w I x.w.z) 




Strong Bisimulation for the Explicit Fusion Calculus 493 



The two are ground bisimilar. However, in a context x=y \ then Q has an action 
after two steps, but P has one only after three. Two congruent terms must 
necessarily behave in the same way under explicit fusion contexts. Closure under 
fusion contexts is like closing under substitutions; the example programs P and 
Q were first given by Sangiorgi and Boreale [5] to show that ground bisimulation 
is not closed under substitution. 

We will see that the two conditions given above are necessary and sufficient 
to prove congruence. The two conditions are formalised in the following bisimu- 
lation: 

Definition 8 (Inside-outside bisimulation) A ground bisimulation S is an 
inside- outside bisimulation iff whenever P S Q then 

1. Eq(P)=Eq(Q), 

2. for all fusions x=y: x=y\P S x=y\Q. 

We write for the largest inside- outside bisimulation. 

Our final bisimulation has a simple co-inductive definition that avoids all 
quantifications over any sort of context; it is standard to call such a bisimulation 
efficient. Recall that the fusion transition 

ux.P\vy.Q ^ x-y \ P \ Q 

indicates that, in the presence of an explicit fusion mv, the terms can react. 
This means that quantification over a term’s fusion labels is as discriminating 
as quantifying over explicit fusion contexts. 

Definition 9 (Efficient bisimulation) An efficient bisimulation is a symmet- 
ric relation S such that if P S Q then, assuming I binds no names free in Q, 

1. Eq(P) = Eq(Q), 

2. P -^e I ■ P' implies Q -^e I '■ Q' arid P' S Q' , 

3. P P' implies u=v\Q — Q' and u=v\P' S Q' . 

We write for the largest efficient bisimulation. 

We remark on why the third condition in the definition of is as it is. The 
intuition is that should coincide with Now says that, if P can react in a 

context U--V, then so can Q. The labelled transition P C also declares that P 
can react in the context, but it actually declares more information: not just that 
it can react in the context, but also that it actually contains input and output 
commands on u and v. Therefore, in the definition of efficient bisimulation, the 
consequent must remove this extra information about it containing u and v. 

io e 



Theorem 10 



b 



9 



9 



9 ' 




494 



L. Wischik and P. Gardner 



Proof. We first show that ^b=^g- It is apparent from the definitions that 
The opposite direction, that requires more work. The issue 

is that, for a transition P P.P', ground bisimulation records the data 
and resulting state P.P', while barbed bisimulation discards it. Our task is 
to create a context R which can reconstruct it. In particular, given a transition 
P P.P', we deduce that P\R undergoes a tau transition, and hence (by 
barbed bisimilarity) so does Q\R, and we need an R sophisticated enough to 
deduce that Q P.Q'. 

We use a family of contexts R = uy.(j) where all the names y are fresh, and (j) 
is a fusion of two fresh names. This fusion (j) acts as our litmus paper: supposing 
that P I:P', then P will react with R to liberate (f>. By the assumption of 
barbed bisimilarity, Q\R makes a matching transition which also liberates 4>, and 
so the matching transition must have involved R, and there must be a transition 
Q J:Q' . The remainder of the work is then to show that the interfaces I and 

J match. This amounts to picking apart the fusions involving y, which is possible 
because each y G y is fresh and distinct. More detail is given in Proposition 38 
of [27]. 

For the proof that ^gQ^g, consider the three requirements in the definition 
of P Q: first that P Q, which is also a requirement of second that 

x=y\P ~g x=y\Q, which is a special case of the more general context closure in 
third that Eq(P) = Eq((5). For the proof of this third point we start by 
supposing the contrary: that there exist two congruent terms P ~g Q but with 
a pair of names u, v such that {u, v) G Eq(P) but {u, v) ^ Eq((5). Consider P in 
the example context ux \ vy \x , where x and y are fresh names. This undergoes 
the transitions 

P \ux \ vy \x — ^ P I x^y \ x P \ x^y. 

But no single transition in Q can result in x=y; therefore no can follow a 
single tau transition; therefore P and Q are not congruent. This contradiction 
proves that if P Q then Eq(P) = Eq(Q). 

Continuing in the forward direction, ~gC~g is apparent from the definitions. 

Finally, we show that ~gC~g. It is clear from the definitions that ~g is a 
ground bisimulation; it remains to prove that it is a reduction-closed congruence. 
The proof for this was given in [17]. We sketch the proof briefly here: construct 
S as the smallest relation that contains ~g and that is closed under 

1. if P = Pi 5 Qi = Q then P S Q; 

2. if P S Q then {x)P S {x)Q, /j,x.P S fPx.Q and !P S !Q; 

3. if Pi S Qi and P 2 S Q 2 then P 1 IP 2 S Qi|Q 2 - 

Clearly 5 is a reduction-closed congruence. It remains to prove that it is an 
efficient bisimulation, which is done by a lengthy induction on its construction. 
We only remark on why the third closure condition is as strong as it is. Imagine 
the weaker condition that if P S Q then P|P S Q\R and P|P S R\Q. Now 
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consider the replication case, that P / : P' giving !P P'|!P. We can 
deduce that \Q Q'\\Q and P' S Q' . But now we need closure conditions on 
S that are strong enough to deduce that P'|!P S Q'\\Q. The weaker conditions 
are not adequate. □ 

5 Shallow Congruence 

In the previous section we considered ‘reduction-closed congruences’ - i.e. the 
largest congruences that are also bisimulations. These model the situation where 
environments change during execution (the norm in distributed computation) . In 
this section we consider ‘shallow congruences’ - the largest congruences contained 
in bisimulation. These model the situation where a sub-program’s context is fixed 
at compile-time. They are generally called just ‘congruences’ in the literature. 

Intuitively, one might expect the reduction-closed and shallow congruences 
to generate the same relations, since one could presumably write an initial envi- 
ronment sophisticated enough to model a subsequently-changing environment. 
This result holds for ground congruences in the synchronous pi calculus. How- 
ever, it is not true for the barbed congruences in the synchronous pi calculus. 
To prove the analogous result for the weak barbed congruences associated with 
the asynchronous pi calculus, Fournet and Gonthier [11] actually had to use a 
Universal Pi-calculus Machine for their initial environment, and they used it to 
simulate the execution of a Goedelised version of a program. 

In the explicit fusion calculus, we prove that the shallow congruences coincide 
with the reduction-closed congruences. Our proof technique, like that of Fournet 
and Gonthier, involves creating an initial sophisticated environment. But because 
we are using ground rather than barbed bisimulation, and thanks to the inside- 
outside bisimulation for explicit fusions, our environment is much simpler. 

Definition 11 (Shallow Congruence) 

1. Two terms P and Q are shallow ground congruent iff for all contexts E, 
E[P] E[Q], We write ^gs for the largest shallow ground congruence. 

2. Two terms are shallow barbed congruent iff for all contexts E, E[P] 
E[Q]. We write ^bs for the largest shallow barbed congruence. 

Theorem 12 C ^g. 

Proof. We will construct a relation S such that clearly ~g^ C S, and prove that 

5 C ~g. The intuition is as follows. If two terms are related by ~gs, then they 
are congruent when placed in any initial context. We will design an particular 
context Rn parameterised by a set of sorted names N, and define 

5= {(P,g) : Rn\P Rn\Q for all N D fnPjQ}. 

To prove that 5 is a ~g, we need R^ to be sophisticated enough to demonstrate 
the four properties of ~g (Definition 8): whenever P S Q then 
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1. Eq(P)=Eq(Q); 

2. x=y\P S x=y\Q for any fusion x^y, for x,y € fnP\Q; 

3. P — ^ P' implies Q Q' with P' S Q'; 

4. P P.P' implies Q P.Q' with P' S Q' . 

(Actually, Definition 8 combines the final two properties into a single line. We 
have separated them here because they involve very different proof techniques.) 

We now define Rn- It uses a family of fresh channels rs as part of a ‘database’ 
of names N: if x'.S G N then Rn will contain Ifsx. (The subscript S indicates 
the sort of x; a sortless proof is also possible). It also uses fresh channels to signal 
the tests of each of the four properties: tsi for a test of property 1, ts2 for a 
test of property 2, and ts 4 a and ts 4 b to signal an input or output commitment 
for property 4. In the following, for the last three cases we write S G N to 
range over {S : {n:S G N)}; and in the final case we write fXi to stand for the 
correctly-sorted r (ie. indexed by the sort of Xi). 



Rn = 



! rsn 

n-.S&N 

lrs{x) Ts{y) ■(ab)tsixy^.{xa.ai \ yb) 

seN 

lrs{x).rs{y).{cd)ts 2 xycd.{cx.d \ cy) 

seN 

.pj. / lrsiu).u{x).is4aux.{'-r xi | ... | !rx„)\ 
SeN^ I '■rs{u)M{x).ts4bUX.{\rxi | . . . | !f x„) / 



database 
property 1 
property 2 

property 4 



It remains to demonstrate how this initial context Rn can establish each of 
the properties. We start with property 4, because it will explain the database. 
Assume that P I:P' with I = {z){y : _). Then these transitions are possible: 



Rn I P {zx){y=x \ Rn \ P' \ tux.{^.rxi\ . . . \\r Xn)) 

= {z){Rn\P' \ tuy.{\fyi\...\\ryn)) 



tS4q 



(z)(u?/ : RNy I P')- 



Hence also Rn\Q makes the transition Rn\Q ’’ > (z){uy : Rnv\Q') with 

RNy\P' RnjjIQ' ■ This transition must have come from Q (x){y '■ Q'), so 
proving the property. But there is an extra issue with property 4, which explains 
the database N and why definition of S was for N equal or greater than the free 
names of P and Q. If the transition P P.P' emits names y in the interface 
I, even as bound names, then subsequent tests of the properties must test over 
y as well as N. This is satisfied because, after the name y has been emitted, we 
obtain the larger testing context Rn^- 

For property 1, for any x,y G N we have Rn\P ^ (db){xydb : 

xd.ai \ yb \ Rn \ P). If P b x^y then this makes the further transitions 




Strong Bisimulation for the Explicit Fusion Calculus 497 



for bi the first element of b. By bisimilarity, Rn\Q makes the same transitions - 
which can only have happened because Q h x=y as well. (In the case where x and 
y have empty sort, giving a and b with zero arity, then a\ does not exist and this 
test would not work. The solution is to first use a transformation i that converts 
all zero-arity channels into single-arity channels with a dummy argument. Then 
use S= {(P, Q) : Rn\P Rn\Q}- We will ignore this additional complexity, 
since it does not substantially affect the proof.) 

For property 2, for any x,y & N then Rn\P ^ ^ ^ > -^ x=y \ Rn \ P- 

By bisimilarity Rn\Q makes the same transitions. Therefore {x=y\P, x=y\Q) gS. 

For property 3, suppose P — ^ P' . Then Rn\P — ^ Rn\P' and (through 
bisimilarity) Rn\Q ~ ^ T' with Rn\P' ~g T'. Where did this tau transition 
come from? Not from Rj^ interacting with Q, since they have no prefixes in 
common. Not from Rj^ on its own, since this could only have been an interaction 
between !rn and one of the four tests, in which case T' would admit either 



ts. 



or or “ or But none of these is matched by R\P' , 



so the reaction must have come from Q alone, i.e. Rn\Q 



Rn\P' 



Rn\Q' ■ 



Rn\Q' and hence 
□ 



Theorem 13 (Barbed congruence) 



Proof. The first part is a trivial corollary of Theorem 12. The second part uses 
the same ‘stratification of bisimilarities’ technique as is used in the pi calculus 
([23], Theorem 2.2.9). □ 

We remark that two extra operators, match and internal choice, are used in the 
proof by stratification. As discussed in [23], their use is easily encoded into a 
calculus which lacks them - such as the explicit fusion calculus studied here. 



6 Conclusions and Future Work 

One of Farrow’s instincts behind the fusion calculus [22] was that it would yield 
a straightforward bisimulation theory: that the standard congruences would co- 
incide, and that open bisimulation would be simpler. Farrow and Victor defined 
a congruence for the fusion calculus, hyperequivalence, but its definition is non- 
standard and perhaps a little complicated. This paper provides an in-depth ac- 
count of strong bisimulation for the explicit fusion calculus. We have taken the 
standard congruence definitions from the pi calculus, shown that they can be 
applied directly to the explicit fusion calculus, and proved that they describe the 
same relation. Our proof techniques rely on the inside- outside bisimulation (Def- 
inition 8), which is analogous to (and simpler than) open bisimulation for the 
pi calculus. These results surprised us. The connections between fusion bisimu- 
lation and pi bisimulation have not previously been apparent, since each fusion 
calculus has used its own customised definitions of transitions and bisimulation. 
By contrast, we use standard definitions. 
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Abstract. We show that in perfect-information stochastic parity games 
with a finite state space both players have optimal pure positional strate- 
gies. Contrary to the recent proofs of this fact by K. Chatterejee, M. 
Jurdzihski, T.A. Henzinger [2] and A.K. Mclver, C.C. Morgan [14] the 
proof given in this paper proceeds by a straightforward induction on 
the number of outgoing transitions available to one of the players and is 
self-contained. 



1 Introduction 

The subject of infinite stochastic games takes its source in the paper of Shap- 
ley [15] where the existence of value is proved for discounted games. In the sequel 
other types of payments for repetitive games, like mean payoff, traditionally ex- 
amined by game theory community were also applied in the context of stochastic 
games, see [11] for the comprehensive textbook treatment of the subject. More 
recently stochastic games entered in the domain of computer science where the 
main motivation is in the verification of properties of probabilistic programs [7, 
8,5,6,14]. However, in this new context the natural winning criterion is given by 
the parity condition. 

A perfect-information stochastic parity game is played by two players on a 
graph with the vertices partitioned on three sets S'o, Si and Sp, where So and 
Sp are the vertices of players Even and Odd while Sp is the set of randomized 
vertices. The players play by moving the token between vertices, if the token 
is in a vertex s € S'o U Ai then the corresponding player moves it to some 
successor vertex. With each randomized vertex s £ Sp there is associated a fixed 
probability distribution of successor vertices; if the token visits such a vertex then 
the next position is chosen according to this distribution. The winning player is 
determined by the parity condition: the vertices are labeled with non negative 
integers - priorities - and if the maximal priority visited infinitely often during an 
infinite play is even then the player Even wins, otherwise the player Odd wins. 

* This research was supported by European Research Training Network: Games and 
Automata for Synthesis and Validation and Action Specifique: Automates, modeles 
distribues et temporises 



I. Walukiewicz (Ed.): FOSSACS 2004, LNCS 2987, pp. 499—513, 2004. 
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The objective of each player to maximize his winning probability. The main result 
of the present paper is that each player has an optimal positional (memoryless) 
and pure (deterministic) strategy for switching control parity games over finite 
state space. Since the number of possible positional pure strategies is exponential 
in the number of edges, this allows to compute optimal strategies and maximal 
winning probabilities in exponential time. Since one player case can be solved 
polynomially two-player parity games are in fact in NPflco-NP [2]. Note that for 
simpler reachability objectives the existence of optimal pure positional strategies 
was proved in [3]. 

The results presented here do not carry over to an infinite state space, there 
exist infinite simple stochastic Biichi games with just one player such that this 
player has only non positional e-optimal strategies [12]. 

Let us note that the existence of pure positional strategies is known for other 
games such as non stochastic parity games (also with infinite state space) [9] or 
discounted and average stochastic perfect information games [11]. 

This contrasts with more complex stochastic games with simultaneous moves 
which were examined in a series of papers [7,5,6]. For such games the game value 
can be non rational even if the data are rational and only e-optimal infinite mem- 
ory strategies are in general available. The main achievement in this direction is 
the proof of the existence of the value for “concurrent” stochastic parity games 
[7]. It is interesting to note that while “deterministic” parity games are closely 
related to model checking and fi calculus [1,10] over finite lattices, [7] shows that 
concurrent stochastic parity games are related to /r-calculus over infinite lattices 
of mappings from the set state to the interval [0; 1]. 

Recently K. Chatterejee, M. Jurdzinski, T.A. Henzinger [2] have given an- 
other proof of the existence of memoryless pure optimal strategies in switching 
control parity games. However, their proof is quite different, in particular they 
rely on the non trivial result concerning the existence of the value in stochastic 
games with simultaneous moves [7,13]. 

Our approach of the problem is more elementary, we prove at the same time 
the existence of the value and the existence of optimal memoryless pure strategies 
by induction on the number of edges. The technique developed here for parity 
games can be adapted to other situations where the game arena is finite. 

2 Preliminaries 

Simple parity games are played by two players Even and Odd on arenas 
{So, Si, Sp,sViCC,p, g) consisting of the following elements: Sq, Si, Sp are three 
disjoint sets of states, the states So and belong respectively to the player Even 
and the player Odd while Sp is the set of randomized states, g : S — [0..n] 
is a priority mapping from the set S = S'o U S'! U S'p of all states to an ini- 
tial segment [0..n] of non negative integers {g{s) is the priority of the state s), 
succ : S'o U S'! — ^ 'P(S) is the successor mapping associating with each state 
of So U Si a non empty set of available successor states. Finally, p is a set of 
conditional probabilities: for each randomized state s € Sp and any state s' G S, 
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p{s' I s) is the probability that the next state is s' under the condition that the 
current state is s. It is convenient to extend the successor mapping to random- 
ized states by setting for s G Sp, succ(s) = {s' | p{s' \ s) > 0}. We assume that 
p satisfies the usual conditions of probability distribution: 

for all s G Sp, 'Es'esncc{s)P(s' I s) = where 0 < p{s' | s) < 1. 

Given an arena, the parity game G{s) is played in the following way. The 
initial state at the moment 0 is s = sq. For all moments f > 0, if the current 
state is Si G S' then 

(1) if Si G So then player Even chooses the next state Sj+i G succ(si), 

(2) if Si G Si then player Odd chooses the next state Si+i G succ(si), 

(3) if Si G Sp then the next state Si+i is chosen with the probability p(si+i | si). 

Thus after an infinite number of steps we get an infinite sequence (si)“g of 
visited states that is called a play in the game G(s). 

Let lim supj 5 (si) be the maximal priority visited infinitely often in the play 
(si)“g. If this priority is even then the player Even wins the play, otherwise the 
player Odd wins. 

We have assumed here that for each state s G S, succ(s) yf 0. The case of 
terminating plays with succ(s) = 0 for some states s can be easily adapted by 
introducing for each such state a self-loop by setting succ(s) = |s}. 

In the sequel by Wino(s) and Wini(s) we shall note respectively the set of 
winning plays for the players Even and Odd in the game G(s), i.e. plays where 
the maximal priority visited infinitely often is even/odd. 

Informally, the aim of each player is to maximize his probability of winning 
the parity game. 

Any non empty finite sequence of states starting from s is o history in G(s). 

A strategy a for the player Even in G(sq) is a mapping assigning to 
each history sqSi . . . s„ starting at sq and terminating at a state s„ G Sq the 
conditional probability cr(- | sqSi • • • Sn) of choosing the next state. We as- 
sume that only the states available at the current state s„ can be chosen, i.e. 
Ss'Gsucc(s„) I '^oSi ■ . ■ S„) = 1 and cr(s' I SgSi . ■ . s„) = 0 for s' ^ succ(s„). 

A strategy r for the player Odd is defined symmetrically. 

In the sequel, a and r, with subscripts if necessary, will always stand for 
strategies of Even and Odd. 

Given the strategies <7 and r of Even and Odd in G(sq) we can draw a 
probability tree: the histories sqS* constitute its vertices and we assign the 
probability a(s„+i | SgSi • ■ • ^n) to the edge going from the vertex sgSi ■ ■ ■ s„ to 
the vertex sqSi . . . s„s„+i, where a is either a, or t, or p depending on whether 
the last state s„ in the history belongs to So Si, or Sp. Then the probability 
of an open set spsi • • •Sfc5'“, is obtained by multiplying all probabilities along 
the path from sq to sqSi . . . Sk in the probability tree. It is a standard result of 
measure theory (uniqueness of bounded measures defined with 7r-systems) that 
this extends to a unique probability measure over Borel sets of plays starting 
from Sq. This probability measure will be noted by Pcrr- 

A parity game G(s) in the normal form is played in the following way: the 
player Even chooses a strategy cr and in the same time and independently 
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the player Odd chooses a strategy r. Then Even receives P^^(Wino(s)) while 
Odd receives ^(Wini(s)) and the aim of each player is to maximize his gain. 
Since P^^(Wini(s)) + P^^(Wino(s)) = 1 this is a constant sum game. (We can 
formulate it equivalently as a zero sum game if we assume that Odd pays to 
Even the amount T-(Wino(s)), then the aim of Odd would be to minimize 
P^ ^(Wino(s)). We prefer however the first formulation since it allows more a 
symmetrical treatment of both players.) 

We have always 

vain (Gf s')) = supinf P^ .^(Wino(s)) < inf sup P^ .^(Wino(s)) = valo(G(s)) 

" " ’ " " ’ — ( 1 ) 

yali(G(s)) = supinf P^ .^(Wini(s)) < inf sup P^ T-(Wini(s)) =vali(G(s)) 

T (7 ' a T ' 

Notation. In the sequel, it will be sometimes convenient to use 0 and 1 as 
synonyms of the names Even and Odd of players. 

The quantities val,(G(s')') and vab(G(s)) are called respectively the lower and 
upper values of the game G(s) for the player i. If the lower and upper values are 
equal then this quantity is called the value of the game G(s) (for the player i) 
and is noted as vab(G(s)). 

Note the obvious equalities: valQ(G(s)) = 1 — vali(G(s)) and valo(G(s)) = 
1 — yali(G(s)), in particular vali(G(s)) = 1 — valo(G(s)) where the left hand side 
exists iff the right hand side exists. 

A strategy a of the player Even in G(s) is optimal if the value valo(G(s)) 
exists and, for all strategies r of Odd, P^^(Wino(s)) > valo(G(s)). Symmetri- 
cally, T is optimal for Odd if the game value exists and, for all strategies cr of 
Even P^y(Wini(s)) > vali(G(s)) or equivalently P^ ,p(Wino(s)) < valo(G(s)). 

Among all available strategies, the simplest are positional and pure strategies. 

A strategy cr for player Even is positional if the probability cr(s„+i | 
so...Sn), Sn G Sq, depends only on the current state s„ and is indepen- 
dent of the preceding history. Thus such a strategy can be seen as a family 
of conditional probabilities ct(- | s), s G Sq, satisfying the usual conditions: 
Es'esucc(^) I s) = 1 and cr(s' | s) = 0 for s' ^ succ(s) 

A strategy a is pure if it choses exactly one of the successor states with 
probability one. 

A strategy a for player Even is universally optimal if a is positional pure 
and optimal for all games G(s), i.e. optimal independently of the initial state. 

The notions of positional, pure and universally optimal strategies for Odd 
player are defined symmetrically. 

The aim of this paper is to prove the following result: 

Theorem 1. If the set of states is finite then for each initial state the parity 
game G(s) has a value. Moreover, each player has an universally optimal strat- 
egy- 

in the sequel we always assume that the set of states is always finite. 
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3 One Player Stochastic Parity Games 

A Markov decision process (MDP) with the parity criterion is a simple parity 
game where one of the two players is dummy, i.e. his set of states is empty. All 
the information about parity MDP useful in the sequel can be deduced from [8] 
and [4], we recall here these results for the sake of completeness and apply them 
in the context of parity MDP. 

Suppose that G = {Si,Sp, succ,p, g) is a parity MDP, where the set of states 
of player Even is empty (the case where rather is empty can be treated in 
the same way). 

Such games have always a value and the aim of this section is to prove that 
Odd has an universally optimal strategy r and to examine in detail the structure 
of r. 

With MPD G we can associate the graph, noted G, of G: the vertices of this 
graph are the states of G and the edges are pairs (s, s') such that s' G succ(s). 

The following notion appears in [8] , although similar concept appears also in 

[4]. 

An end component of G is a subgraph G' of G such that: (1) for each random- 
ized state of G', the graph G' contains also all successor states s' of s together 
with all corresponding edges (s, s'), (2) for all non randomized states s of G', G' 
contains at least one outgoing edge (together with the corresponding successor 
state) and (3) G' is strongly connected. 

Lemma 1 ([8]). With each infinite play s = (si)“o ^ starting from s = sq 
we associate a subgraph inf (s) ofG consisting of the states and edges that appear 
infinitely often in s. For any strategy r o/Odd in MDP G(s), the set of plays s 
such that inf(s) is an end component of G has measure 1. 

Proof. If a non randomized state s is visited infinitely often in s then for at least 
one of its successors s' the edge (s, s') is visited infinitely often. 

If a randomized state s is visited infinitely often then almost always (i.e. 
with probability one) all outgoing edges (s, s') are visited infinitely often. (More 
exactly, for any strategy r, the set of plays where s appears infinitely often has 
the same measure as the set of plays where all outgoing edges (s, s') appear 
infinitely often ). These two facts yield the thesis. □ 



Lemma 2. Suppose that the greatest priority inside of an end component G' is 
odd. Let U be the set of states ofG'. Then the player Odd has a positional pure 
strategy on U allowing him to visit the states with the maximal priority infinitely 
often with probability 1 (and he wins in this way the parity game with probability 
1 as well). Moreover, as long as he uses this strategy the token never leaves U . 

Proof. Let G' = {U, E) and A the subset of U consisting of vertices with the 
maximal priority. We define the distance of a vertex s of G from A as the length 
of the shortest path in G' from s to some vertex of A. Thus any vertex s G U 
at the distance i > 0 has at least one successor at the distance i — 1. Now the 
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strategy of player Odd consists in choosing always a fixed successor with the 
smallest distance from A. Suppose that using this strategy we do not visit A 
infinitely often and that s is a vertex visited infinitely often with the smallest 
distance from A. However if s belongs to Odd then, with the strategy described 
above, some successor of s is visited infinitely often. If s is a randomized vertex 
then with probability one all outgoing edges, and therefore all successor vertices 
are visited infinitely often, in particular the one closer to A than s itself. Finally 
note that the moves at the random states of U can never put the token outside 
of U (since all successors of such states are in U) and the same holds for the 
moves in the non random states advised by the strategy described above. □ 

Let us call an end component G' favorable for the player Odd if it satisfies 
the conditions of Lemma 2, i.e. the maximal priority in G' is odd. A state s is 
said to be favorable (for the player Odd) if it belongs to some favorable end 
component. 

Lemma 3. Let U be the set of all favorable states. Player Odd has a positional 
pure strategy over U allowing him to win the parity game with the probability 1. 

Proof. Let us fix an enumeration of all favorable end components and let Ui be 
the set of states of the i-th end component in this enumeration. Thus U = Ui 

By Lemma 2 on each Ui the player Odd has a positional pure strategy Ti 
allowing him to win with the probability 1 . Let s G U C\ Si and I = min{i | s G 
Ui}. The when the token is in s the player Odd applies the strategy r;. 

In this way, for each play. Odd will change only finitely many times his 
strategy, with each change taking a new strategy Ti with a smaller index i. From 
some moment onward, the remaining play will be played with a fixed strategy 
Ti and therefore Odd will win it with the probability 1. (The formal reasoning 
will use the residual strategies and the decomposition defined at the beginning 
of the next section.) □ 

Proposition 1. Player Odd has an universally optimal strategy r in parity 
MDP G = {Si, Sp,sViCC,p, g). Let U be the set of favorable states for player Odd 
in G. The strategy t consists in attracting the token to U with the maximal 
probability and next in playing the optimal strategy in U. 

Let X be the set of states s such that there is no path in the graph G of G 
from s to U . Ln all games G{s), s G X, player Odd loses with probability 1 for 
all his strategies t. 

If player Odd uses his universally optimal strategy r described above then 
with probability 1 the token hits either U or X and once in one of these two sets 
it will never leave it. 

If s G S\U then for any strategy r of Odd in G{s) if the token does not 
enter U then player Odd loses with probability 1, more formally PT-(Wini(s) fl 
s{S\U)^) = 0forsGS\U. 

Proof. Suppose that s G Si \ U, where U is the set of all favorable states for 
the player Odd and let r be his strategy in G(s). As we know from Lemma 1, 
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with probability 1 the set of states and edges that appear infinitely often when 
Odd plays r forms and end component. If such a component does not intersect 
U then, by the definition of U the play ending in this end component is lost 
for the player Odd. Therefore the optimal strategy for Odd consists in fact in 
attracting the token to U with the maximal probability and next play in U using 
his positional pure strategy as shown in Lemma 3. The problem of finding the 
maximal probability to reach a fixed set of states can be formulated as a linear 
programming problem and moreover it can be shown that the player Odd has an 
optimal positional pure strategy assuring him the maximal probability to reach 
[/, see [4,3,8]. 

Now suppose that the play starts in a state s G X. Then the token never 
reaches the set U and therefore the probability to win the parity game G(s) for 
s G X is 0 for any possible strategy of Odd. On the other hand, if the state s is 
such that there exists in G a path from s to U then obviously there is a strategy 
to reach U with a positive probability, and therefore a strategy to win the parity 
game G(s) with a positive probability. □ 

Thus X is precisely the set of states where Odd loses almost surely. 

4 Two Player Stochastic Parity Games 

Two simplify the notation, we shall assume that each state of Odd at most two 
successors. 

We shall prove that the parity games on finite arenas have values for all 
initial states and that player Even has an optimal positional pure strategy by 
induction on the number of successors available at states of S'o . 

If for each state s G S'o, succ(s) contains exactly one state then payer Even is 
in fact dummy and basically we have one player stochastic parity game controlled 
completely by player Odd. Then, as explained in Section 3, the game has a value 
and player Odd has a positional pure optimal strategy. Since player Even has 
always one successor state for each s G So he has a unique strategy available for 
him which is positional and pure (and optimal as he has no alternative). 

We shall use the following notation for games G that have a value for each 
starting state s: 



Vr'(G) = {sGS|vab(G(s)) = l} 

V>°(G) = {s G S I vab(G(s)) > 0} 

denote respectively the set of states where the player i can win with the probabil- 
ity 1 and the set of states where he can win with a (strictly) positive probability. 

Let G be a parity game, h = Sq . . . Sk a history starting at Sq and ending at 
some state Sk and a a strategy for a player i in G(so). The residual strategy at 
for the player i is the strategy in the game G{sk) defined as ah{skSk+i ■ ■ ■ Sn) = 
a{hsk+i ■ ■ ■ Sn), where SkSk+i ... s„ is a history starting at Sk and ending in a 
state Sn G Si- 
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A strategy r of the player Odd in the game G(s) is residually optimal if for 
all histories h starting in s and ending in a state s' € Si, the residual strategy 
Uh is optimal in the game G(s'). 

Definition 1. Suppose that G is a parity game such that the value exists for 
all states. Let U he a set of states and s € U . A strategy t for player Odd 
in the game G(s) is persistent over U if for any strategy a 0 / Even in G(s), 
P,,,(Wini(s)nsC/“)=P,,,(sC/-). 

Thus if the player Odd plays using a persistent strategy over U and if the 
token never leaves U then Odd wins almost surely. 

Since several lemmas below share the same conditions we shall list them now 
for the sake of convenience. 

Condition A. {So, Si,Sp, succ,p, g) is an arena of a game G and s G S'o a state 
of player Even with two successors, succ(s) = {si,S 2 }. By Gi, i = 1,2, we 
denote the parity games on arenas {So, S\, Sp,s\icci,p, g) that are identical 
with G, except that in Gi the state s has only one successor: succi(s) = {s^}. 
Condition B. The games Gi and G 2 have values for all initial states s. 
Condition C. Player Even has optimal positional pure strategies ai and (T 2 in 
the games Gi and G 2 respectively; these strategies are universally optimal, 
i.e. optimal independently of the starting state. 

Condition D. For each state s' G S, player Odd has residually optimal strate- 
gies Ti and T 2 in the games Gi(s') and G 2 (s') respectively. Moreover, each 
Ti, i = 1,2, is persistent over Vf°(Gj). 

Proposition 2. Suppose that Conditions A, B, C and D are satisfied and 
valo(G 2 (s)) < valo(Gi(s)) (the case valo(Gi(s)) < valo(G 2 (s)) is symmetrical). 
Then the following assertions hold: 

(i) For all states s' G S, valo(G2(s')) ^ valo(Gi(s')) and vali(Gi(s')) < 
vali(G 2 (s')), in particular V>°(G 2 ) C V>°(Gi) and V>°(Gi) C V>°(G 2 ). 

(ii) G has the same values as G\, i.e. for s' G S, valo(G(s')) = valo(Gi(s')). 
(Hi) The strategy a\ optimal in Gi for Even is also optimal for him in G, for 

s' € S it assures him the gain of at least valo(Gi(s')), i.e. 

inf T ^(Wino(s')) > valo(Gi(s')), where r ranges over all strategies of 

Odd in the game G{s'). 

(iv) For each starting state s' G S, there exists a strategy r of the player Odd 
in the game G{s') such that 

(1) T is optimal, it assures that Even cannot win more than valo(Gi(s')), 
i.e. sup^ Pg. ,j=(Wino(s')) < valo(Gi(s')), where u ranges over the strate- 
gies o/Even in the game G(s'). 

(2) T is residually optimal, 

(3) T is persistent over the set V^°(Gi). 

Let us note the asymmetry in the treatment of the players Even and Odd 
in Proposition 2. While at each stage of the induction the optimal strategies 
of Even are always pure and positional, this property does not hold for the 
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strategies of Odd. In fact, the optimal strategies of Odd in G will be obtained 
from optimal strategies of Odd in Gi and G2 in such a way that the resulting 
strategy will be not positional in general (but always it will be pure). 

We can apply immediately Proposition 2 to get: 

Proof of Theorem 1 

As we have seen in Proposition 1 the unique player in one person parity games 
has an optimal positional pure strategy r. Let Vf °(G) be the set of states where 
his winning probability is positive. If the game starts in Vf*^(G) and the unique 
player uses t then with probability 1 the token either hits the set of states where 
he wins with probability 1 or it hits the set of states where the player wins with 
probability 0 . In particular, when Odd plays r and the token remains forever 
in Vf°(G) then in fact the token hits Vf^(G) with probability 1 and hence he 
wins with probability 1 . Thus r is trivially persistent over Vj^°(G). Therefore 
Conditions A — D are satisfied for the games where the player Even is dummy. 

Proposition 2 shows that this situation carries over when we use the induction 
over the number of successor states for player Even. Suppose that A — D 
hold. If we have solved the games Gi and G2 then it suffices to compare the 
winning probabilities at the state s to choose the optimal strategy for Even: 
if valo(Gi(s)) > valo(G2(s)) then the universally optimal strategy Wi in Gi is 
also universally optimal in G otherwise the strategy W2 universally optimal in 
G2 is universally optimal in G. In fact this choice allows the player Even to win 
at least max{valo(Gi(s')), valo(G2(s'))} in G(s'). To show that he cannot win 
more, it is necessary to construct a strategy r of Odd in G(s') such that playing 
against r the player Even wins at most max{valo(Gi(s')), valo(G2(s'))}j this is 
the last part of Proposition 2 . 

Thus by induction we establish that Even has always an optimal pure po- 
sitional strategy. Of course, exchanging the roles of Even and Odd we can 
establish the existence of an optimal pure positional strategy for Odd. □ 

Let X C sS* be a prefix closed set of histories, ci, (T2, ti, T2 strategies of 
Even and Odd in G(s). We say that (ai,Ti) and ((T2,T2) are equivalent on X 
if for each history h = h' s' G X, if s' G S'o then cti(s' | h') = 0-2(5' | h') and if 
s' G Si then Ti(s' | h') = T2{s' \ h'). 

We say that (ai,Ti) and (0-2, T2) are equivalent over a Borel set U of plays if 
they are equivalent over the set of all prefixes of U. 

The following lemma resumes elementary facts concerning the probabilities 
^ that will be used frequently, most of the time tacitly, in the sequel. 

Lemma 4 . (1) //(cti,ti) and (0-2, T2) are equivalent over a prefix closed set X 
of histories then for each Borel set U of plays in G(s) such that all prefixes 
ofU belong to X we have = ^'o-2.r2(^)- 

(2) For all strategies a and r and histories h = h' s' in G(s), 

p,,,(A n hs-) = p,^,{hS-)p,^^,^{s'{h-^x)), 



where h ^X = {u\hu & X}. 
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Proof. (2) = P^^.^{Xr\hS‘^ \ hS^)P^^^{hS^). However, P„^^{Xf^ 

hS‘^ I /iS'“) is equal to the probability of winning the residual game with the 
residual strategies. □ 



The proof of Proposition 2 goes through several lemmas. Let a and /3 be 
strategies for a player i in the games G(s) and G(s') respectively, s, s' G S. Then 
by a[/3] we note a new strategy of i in G(s) that informally can be described 
as follows: play as a till the first visit to s', next play always according to (3. 
Formally, if G sS* and the last state of h belongs to Si then 



a[f3]{h) 



a{h) if h does not contain s' 

(3{s'h") if h = h's'h" and h' does not contain s'. 



Lemma 5. Let G he a parity game. Let H = s'{S \ {s})* be the set of histories 
that start at s' and never visit s, E = s'{S\ {s})“ the set of (infinite) plays that 
start at s' and never visit s and E = s'S‘^ \ E the set of plays that start at s' and 
visit at least once s. Let a', r' be strategies o/Even and Odd in G{s'). Then 

( 1 ) P^,,,,(Wino(s')) = 

< (Wino(s)), 

tis ’ ns 

where and are residual strategies. 

(2) If <Ji, T\, (72, T 2 are strategies in G{s) such that 
^<T 2 .T 2 (Wino(s)) < P^^^^^(Wino(s)) then 
F^,[,,],,,[,,](Wino(s')) < P,,q,,p,.q.,](Wino(s')). 

Proof. Note that Wino(s') = (Wino(s') fl E) U (Wino(s') fl E) and E = 
[JheH countable additivity of measures we get ^,(Wino(s')) = 

P^,y{Wmo{s') r\ E) + -P<T'.T'(Wiuo(s') n hsS‘^). By Lemma 4 

and since s(/is)“^ Wino(s') = Wino(s), P^/ ^/( Wing (s') fl hsS^) = 

P,,y{hsS-)P,, . (Wino(s))). 

Now applying two times (1) (and Lemma 4 to substitute equivalent strategies) 
we get 

P,, [,,](Wino(s')) = 

P,,,,,(Wino(s')) nP) + E^ei/^a'.r'(/^s^“)^.2..2(Wino(s)) < 

P,,,,,(Wino(s')) nP) + E^ei/^<.'p(/^s^“)^.i,n(Wino(s)) = 

P,,,[^^],,,[,^](Wino(s')). □ 

Lemma 6. Let s and s' be two distinct states of a parity game G such that G(s) 
and G{s') have values. We suppose that a, a, a' are respectively any strategy 
in G{s), an optimal strategy in G(s) and an optimal strategy in G(s') for the 
player Even. Similarly, t, t, t' are respectively any strategy in G{s), an optimal 
strategy in G(s) and an optimal strategy in G(s') for player Odd. Then the 
following holds: 

(i) ^a.r[r'](Wino(s)) < P^[^,]_^[,p,](Wino(s)) < P^[^,]_^(Wino(s)). 

(ii) The strategies a\a'] and r[r'] are optimal for players Even and Odd re- 
spectively in the game G(s). 
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Proof. Under the notation of Lemma 5 we get 
P,,,[^,](Wino(s)) = P,,,[^,](Wino(s) n P) U 

heH 

since the residual strategy (T[f'])hs' is equal r'. 

But by optimality of the strategies a' and f': 

P^^ , ,.,(Wino(s')) < valo(G(s')) = Pg,/ ;p,(Wino(s')). Putting this into (2) and 
applying again Lemma 5 we get the first inequality in (i). The second inequality 
in (i) is symmetrical. 

To prove (ii) note the following sequence of relations with r ranging over all 
strategies of Odd in G(s): valo(G(s)) = inf,- P^ .^(Wino(s)) < 
inf-r Pg: ,-[:j='](Wino(s)) < inf,- P_j_,j ^(Wino(s)), where the first equality follows 
from the optimality of a, the next inequality follows from the fact that if r 
ranges over all strategies of Odd in G(s) then r[r'] ranges over some subset 
of his strategies and the last inequality follows from (i) with a replacing a. 
However, this means that a[a'] is optimal for the player Even. The optimality 
of t[t'] follows by symmetry. □ 

Lemma 7. Under Conditions A and B, valo(G 2 (s)) < valo(Gi(s)) if and only 
if for all states s', valo(G2(s')) ^ valo(Gi(s')) . 

Proof. Let CT 2 , ct'i, cti be optimal strategies of player Even in the games 
Clips''), G 2 (s), Gi(s'), Gi(s) respectively. Similarly, T 2 , T 2 , t^, ti are optimal in 
the same games for Odd. 

From Lemma 6 we know that is optimal in Gi[s'^ for Even. On the 

other hand, t^[t2] can be seen as a strategy of Odd in G 2 (s') since until the 
first visit to s playing in G\ or in G 2 is the same. These remarks imply that 
valo(G 2 (s')) < P^,[ 5 ^]_y,j:p^](Wino(s')). On the other hand, Pg^_y^(Wino(s)) = 
valo(G 2 (s)) < valo(Gi(s)) = P^^ ,^^(Wino(s)) implies, by Lemma 5, 
Pa',[w,],r[[T 2 ]i^^Ms')) < P^.[^,],^.j^p(Wino(s'))- But by optimality of 
the right hand side of the last inequality is not greater than valo(Gi(s')). □ 

Lemma 8. Under Conditions A and B, if s € Vf°(Gi) H Vf°(G 2 ) then 
V>0(Gi) = V>0(G2). 

Proof W.l.o.g. we can assume that 0 < vali(Gi(s)) < vali(G 2 (s)). Then 
by Lemma 7, since vali = 1 — valo, we get for all states s', vali(Gi(s')) < 
vali(G 2 (s')), i.e. V^°(Gi) C Vf°(G 2 ). To show the inverse inclusion take s' 
such that 

vali(G 2 (s')) > 0. Let be optimal for Odd in the game G 2 (s') and ri optimal 
for Odd in Gi(s). Note that t' 2 [ti] is in fact a strategy in the game Gi(s') since 
once the state s is visited player Odd begins to use ti. 

Suppose that Odd plays according to the strategy T2[ti] against some strat- 
egy (7. If with the probability 1 the token never visits s then in fact Odd plays 
always according to T 2 and therefore wins with a positive probability. 
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If the token visits s with some positive probability then Odd plays from this 
moment onwards according to Ti and again wins with a positive probability. 
We can conclude that Odd has a strategy in Gi(s') to win with a positive 
probability. (The reasoning can be formalized easily with the help of Lemma 5) . 

□ 



In the sequel we assume Condition A, i.e. s has two successors: Si and S 2 - 
Let ilfc, k = 1,2, be mappings acting on histories h G sS*{S\ {s}) and 
defined as 



Hkih) 



h ii h = sskh' for some h' G S* 
1 otherwise. 



Let h G sS*{S \ {s}) be a history in G(s) ending in a state different from s. 
The loop factorization of h is the unique factorization of the form h = hohi . . . hi, 
where each factor /ij, 1 < i < Z, is of the form hi = sh'i and do not contain 
any occurrences of s. Since the factors hi do not end in s and s has exactly two 
successors si and S 2 , each hi begins either with ssi or ss 2 - 

Then for fc = 1, 2, we set TTk{h) = IIk{ho)nk{hi) . . . IIk{hi). Thus tti preserves 
the factors hi of h that begin with ssi and erases the factors beginning with ss 2 , 
the action of 7T2 is symmetrical. 

What is essential to observe is that 7Ti{h) and TT 2 {h) are histories in Gi(s) 
and G 2 (s) respectively, in some sense erases the loops in the history h that 
are incompatible with the game Gk, k = 1,2. 

Suppose that the Condition A is satisfied and t\ and T 2 are strategies of 
player Odd in the games Gi(s) and G 2 (s) respectively. We define an interleaving 
strategy r = Ti Z T2 of Odd in G(s) in the following way. Let h = h^hi . . .hi be 
the loop factorization of the history h G sS* ending in a state of Ai. 

Then we set 



r(/i) 



Ti(7Ti(Zi)) if the last factor hi of h begins with ssi 

T 2 {TT 2 {h)) if the last factor hi of h begins with ss 2 - 



Intuitively, if during the last visit to s player Even has chosen to go to Si, as 
in the game Gi, then until the next visit to s player Odd uses the strategy ri 
with the history appropriately adjusted to TTi{h), otherwise he uses the strategy 
T 2 with the history TT 2 {h). 

In the sequel the mappings tti and 7T2 will also be applied to infinite plays 
h G {sS)‘^ beginning at s. Again we factorize h = h^hi . . . where hi begin 
with s and do not contain other occurrences of s. (Note that either we visit s 
infinitely often and then h has infinitely many factors or the last factor is infinite.) 
Next we erase some factors in the way indicated above with the mapping Ilk, 
T^k{h) = nk{ho)IIk{hi) . . . . If infinitely many factors begin with ssk or s is 
visited finitely often and the last infinite factor begins with sSk then TTk{h) is a 
play in Gfc(s), fc = 1, 2. 

Lemma 9 . Suppose that Conditions A and B hold and s G Vj^°(Gi)nVj^°(G2). 
I/ti, T2 are persistent strategies o/Odd in G\{s), G2(s) over the sets Vj^°(Gi) 
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and V^°(G2) respectively then the interleaving strategy ti I T2 is persistent for 
the player Odd over V^°(Gi) = V^°(G2) in the game G(s). 

Proof Set U = Vf°(Gi) = Vf°(G2) (see Lemma 8). The set of plays sU‘^ can be 
partitioned into three sets: the set Ai of plays that from some moment onwards 
do not take any more the edge (s, S2), the symmetrical set A2 of plays that from 
some moment onwards do not take the edge (s, S2) and the set B of plays that 
take infinitely many times (s,si) as well as (5,52). In Ai from some moment 
onwards player Odd plays always the same strategy Ti, which is persistent thus 
he wins almost surely when staying in A\. Similarly, he wins almost surely in 

A2- 

Playing in B, Odd switches infinitely often between strategies ri and T2. 
Take u G B and forget for a moment the intervals when he plays according to 
T2, i.e. consider Over 7Ti(m) he plays always according to ti thus almost 

surely the maximal color visited infinitely often in 7Ti('u) is odd (by persistence 
of Ti). Symmetrically almost surely the maximal colour visited infinitely often in 
7T2(m) is also odd. Thus the maximal colour visited infinitely often in u should be 
odd as well almost surely. (This informal reasoning can be formalized by noting 
that for any Borel subset K of plays in Gi(s) that stay in U, ^{TTf^{K)r\B) < 
supg-j^ P^^ where Ci ranges over strategies of Even in Gi(s) and similar 

property holds in G2). □ 

Lemma 10. Suppose that G is a game having values for all starting positions, 
s G Vf°(G) and r a residually optimal strategy 0/ Odd in G(s) which is also 
persistent on Vf °(G). Let a he any strategy o/Even in G(s). Set X = V(f^(G) = 
S\ Vf°(G). Let A = s{S \ {s})*XS'“ be the set of plays that start at s and hit 
eventually X without any other visit to s in the meantime than the first one, 
B = siSXXYsS^^ the set of plays that return to s without hittinq X, a = P„XA), 
b = P,^^{B). Then valo(G(s)) > 

Proof. The set of plays starting at s can be partitioned into three disjoint sets A, 
B and the set G of plays that after leaving s never return to s and never hit X. 
By the persistence of r we get that P„^y(^ H Wini(s)) = P^ ,^{C), i.e. P^ ,^(G fl 
Wino(s)) = 0. On the other hand, since B is just a disjoint union of the sets of 
the form where H consists of the histories of the form sh's where h' does 
not contain neither s nor elements of X, by Lemma 4 we get P^ ,^(Wino(s) flB) = 
'Zh&H P^.rihS‘^)Pa^,T^0^^Ms))- But (Wino(s)) < valo(G(s)) since Th is 

optimal (because t is residually optimal) . Summarizing all these identities we get 
P,^(Wino(s)) = P,,^(AnWino(s))+P,,^(PnWino(s))-bP,,^(GnWino(s)) < 

P.AA)+Eh^H P.,khSnP.,,T,mMs)) < a+vMG{s))-tn^H P.AhSn = 

a + b- valo (G(s)). Since this inequality is valid for all strategies of Even we get 
valo(G(s)) = sup^ P^ y(Wino(s)) <a + b- valo(G(s)). □ 

Proof of Proposition 2 

(i) was already proved in Lemma 7. (ii) is just a consequence of (iii) and (iv). 
(iii) is obvious, if player Even takes always the transition s — > si when visiting 
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s in G then from the point of view of Odd playing against such a strategy is 
like playing in G\, thus certainly he cannot win more than he wins in G\. 

To prove (iv) we consider two cases. 

Set Y = Vf°(Gi) = Vf°(Gi) fl Vf°(G 2 ), where the last equality follows 
from (i). 

If s ^ Y then for each s' G T it suffices to take as r the strategy ti assumed 
in Condition D. Player Odd can use it as long as the token stays in Y just as 
in the game Gi(s'). This strategy secures for him the winning probability of at 
least vali(Gi(s)), is residually optimal and is persistent on Y. 

Thus the only interesting case is when s G Y. Then, by Lemma 8, Y = 
Vf°(Gi) = Vf°(G 2 ). Suppose that ti and T 2 are residually optimal persistent 
strategies of Odd in Gi(s) and G 2 (s). Set r = ti It 2 - We prove first that t has 
all required properties in the game G(s). 

The persistence of f follows from Lemma 9. To prove the optimality of f take 
any strategy a in G(s). Set t = valo(G 2 (s)) = min{valo(Gi(s)), valo(G 2 (s))}. 
Thus our aim is to prove that ;^(Wino(s)) < t. 

By the persistence of r, P^:p(Wino(s)) = P^:p(Wino(s) nP), where P is the 
set of plays that hit eventually the set X = S\Y of states. But ;^(Wino(s) fl 
P) < P^^{D). Therefore in the sequel it suffices to prove that P^^{D) < t. 

Note that P is a disjoint union of the sets u G U, where U consists of 
histories of the form u = su'x with x G X and u' not containing elements of X. 

Let U„ = {u G U \ the number of occurrences of s in rt < n}. 

Then P = PS'“ = Un>i by measures monotonicity P^^{D) = 

lim„ P^y(P„S'“). Therefore to guarantee P^^{D) < t it suffices to prove 
P^,.(P„S'“) < t for all n. 

We proceed by induction on n. The case n = 1 is a special case of the 
induction step. Thus assume that P^^{UnS^) < t and we sketch the proof of 
similar inequality for n + 1. By Bayes formula: 

I SSiS^P,^^{sSiS^) + P,^^{Un+lS^ I SS2^“)P..^(sS25“) 

= I ssi^“)a(si I s) + I ss 2 S^)a{s 2 \ s) (3) 

Let CTi , (72 be strategies identical with cr everywhere except on the first step: 
(7i(si I s) = CT 2 (s 2 I s) = 1, cti(s 2 | s) = (72(si | s) = 0. Then we can replace the 
conditional probabilities in (3) since 

P,^^(P„+i5‘" I = P,^^^{Un+iSn and 

P,^^{Un+lS- I = P,,^^{Ur,+ lSn- (4) 

Now note that P^^ ^{Un+iS^) decomposes into the sum of probabilities to hit X 
without returning to s - we note this probability oi in the notation of Lemma 10 
- and the probability to return to s without hitting X - that we note bi — 
multiplied by the probability to visit afterwards s at most n times before hit- 
ting X, which is less or equal t by the induction hypothesis. In other words, 
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P^^ ,f{Un+iS^) < ai + bi ■ t, where by Lemma 10 i > valo(Gi(s)) > Simi- 
lar inequalities hold for :^{Un+iS‘^). These inequalities and Eqs (3) and (4) 
imply that y(C/„+iS'“) < t ■ (cr(si | s) -h cr(s 2 I s)) = t. 

The proof that t is not only optimal but also residually optimal follows a 
similar reasoning. 

For plays starting in the states s' other than s we can take as a strategy in 
G(s') the strategy where t'i is optimal and persistent in Gi(s') and r is the 
interleaving strategy in G(s) for which we have just proved the optimality. □ 
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Abstract. We consider a secrecy property in a simple process calcu- 
lus with cryptographic primitives. The standard Dolev-Yao attacker is 
enhanced so that it can guess the key for decrypting an intercepted mes- 
sage. We borrow from the computational complexity approach to secrecy 
the assumptions that guessing succeeds with a given negligible probabili- 
ty and that the resources available to attackers are polynomially bound. 
Under these hypotheses we prove that the standard Dolev-Yao attacker 
is as powerful as the enhanced one. 



1 Introduction 

The analysis of security protocols has been the subject of a lot of recent work. 
While the problem has been approached in many different ways, the techniques 
used can be classified into two main classes. On the one side, we have results 
coming from computational complexity theory which offers a detailed, in-depth 
view of cryptosystems and protocols and deals with probability and algorithms. 
On the other side, formal methods provide abstractions that allow for mechanical 
proofs of protocol properties, but often require stronger assumptions (e.g. perfect 
or unbreakable encryption). 

Some effort for bridging the gap has been started. Abadi and Rogaway [4] 
relate a formal equivalence between two terms to the computational infeasibility 
of distinguishing between their encodings into bit strings. Also, Troina et al. [13] 
follow a similar line and refine the equivalence of [4]. Backes and Jacobi’s paper 
[5] is also related. These papers go from the computational towards the formal 
approach. 

We instead proceed in the opposite direction: we use a process calculus to 
model cryptographic protocols and we explicitly allow the attacker to break en- 
cryptions by means of a guessing operation. Roughly speaking, once intercepted 
a message, the attacker can deduce the key to decrypt it with a given probability. 

Computational reasoning predicts that guessing is hard, provided that the 
cryptosystem is good, the attacker has only a reasonably bounded computational 
power (e.g. the attacker is in P-Time), and the keys are long enough. Many 
other factors affect the probability of guessing, but for the sake of simplicity, 
often one considers only those above. Also, the actual probability distribution is 
left implicit and the results about the robustness of protocols are proved taking 
these probabilities as a parameter. Here, we shall follow the same pattern. 
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We compare the traditional Dolev-Yao model (DY for short) in which guess- 
ing is not permitted against our enhancement (DYp). The comparison is made 
easy by the fact that, if we forbid the use of the guessing operation, the DYp 
model collapses to DY. Moreover, since we only deal with discrete probability 
distributions, removing the guessing operation is equivalent to assuming the 
guessing probability to be null everywhere. 

We give two definitions of secrecy for a protocol. Both are given in Sect. 4 
and consider only the secrecy of a selected piece of data. One definition is the 
traditional one: it states that the attacker cannot learn a given secret by interact- 
ing with the protocol and by constructing/deconstructing the intercepted data 
with no bounds, except for encryptions being unbreakable. The other definition, 
instead, is taken from the computational complexity approach: the probability of 
learning a certain secret is a function of the key length, assuming the attacker 
is in P-Time and breaking the cryptosystem is a problem not in P-Time. Then, 
one studies the asymptotic behaviour of this function. Our first secrecy definition 
is tailored on the DY model, and our second one is apt for the DYp model. 

Our main result shows that the two security definitions are equivalent. From 
the one hand, this result is not surprising: increasing the length of the keys 
and still keeping the attacker polynomially bounded (with respect to the key 
length) results in a virtually perfect encryption. From the other hand, under 
the standard hypothesis that guessing is hard, the traditional DY model has an 
accuracy comparable with that of the DYp model, in spite of being considerably 
simpler (see Sect. 4 for protocol evaluation in the DYp model). 

In this note we make some assumptions in order to keep the presentation short 
and simple. In Sect. 5 we shall argue that many of them do not affect our main 
result. Also, the calculus we use is rather simple (its syntax and semantics are in 
Sect. 2 and 3), but can easily be extended to cover aspects not considered here. 

2 A Simple Process Calculus: Syntax 

We introduce a simple process calculus which can be used to model cryptographic 
protocols. This calculus is basically a variant of the 7r-calculus [10] enriched with 
cryptographic primitives, much alike the S pi-calculus [2]. Since we want to keep 
our calculus as simple as possible, we use only symmetric encryption in the 
calculus. Further extensions will be addressed in Sect. 5. 

Let Af be a denumerable set of names and let V be a denumerable set of 
variables. We use the letters n, m, o to range over Af and the letters x, y, z to 
range over V. Under these assumptions, we define terms in the following way. 
Terms represent the messages that are sent over the network when the protocol 
is run. Their meaning is standard. 

L,M,A^::=0|1 bit 

I X variable 

I n name 

I (M, N) pair 

I {M}jv symmetric encryption 
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We now define processes in the following way: 

P, Q, R ::= nil null process 

I {x).P input 

I {M).P output 

I {P \ Q) composition 

I ! P replication 

I (new n)P declaration 

I if M = iV then P else Q conditional 

I split M as {x,y) in P split 

I decrypt M as {x}at in P symmetric decryption 

The above syntax is quite standard, and readers familiar with other process 
calculi will find it rather straightforward. A simple informal description follows. 

The nil process does not perform any operation. The input process {x).P 
reads a value from the network, assigns it to the variable x and then behaves as 
P. The output process {M).P sends a value over the network and then behaves 
as P. The parallel composition of two processes is denoted by {P \ Q). The 
replication ! P behaves as the parallel composition of an unlimited number of 
P processes. We write (new n)P for the creation of new names (i.e., new keys, 
fresh nonces, etc.). The conditional tests whether two terms are equal. Split 
and decryption are used to destruct pair and encryption terms. Note that the 
decryption requires the (secret) key to succeed. 

The most important features of this calculus are the following: 

— All the input and output operation use the same global public channel, unlike 
some other calculi, as the 7r-calculus or the Spi-calculus, where input and 
output occur on given channels. 

While this makes impossible, for instance, to specify the destination for a 
message (which is very inconvenient from a programmer’s point of view), it 
models the standard Dolev-Yao assumption which states that the attacker 
is able to reroute messages. 

— There are no private channels in our calculus. Private channels could be used 
to model secure links and will be discussed in Sect. 5. 

A variable is said to be bound if it occurs under an input prefix, split, or decryp- 
tion; otherwise it is said to be free. Similarly, a name is bound if it occurs under a 
declaration (new n), otherwise it is free. We write fv(P), bv(P), fn(P), bn(P) re- 
spectively for (the set of) the free variables, the bound variables, the free names, 
and the bound names of the process P. 

3 A Simple Process Calculus: Semantics 

We define an attacker- aware semantics of our process calculus. This means that 
our semantics explicitly assumes the presence of an attacker and models the 
interaction between it and the system which executes a certain protocol (i.e. a 
process P). 

We first make two assumptions about what the attacker can or can not do: 
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~ As the Dolev-Yao attacker, ours can intercept and learn messages as they are 
sent over the network. The attacker can then send over the network terms 
built from the known messages by using the following operations: pairing, 
splitting of pairs, encryption, and decryption. This also implies the attacker 
is able to reroute, discard, and replace messages, possibly pretending they 
are from someone else; 

— Unlike the Dolev-Yao attacker, ours can also guess a key which has been used 
to encrypt some message. This special operation, however, only succeeds with 
a given probability. 



3.1 The Attacker 

We introduce the following entailment rules, that define the operations of at- 
tacker. Each rule can be read as: “the attacker can build the term of the right 
hand side of the arrow provided it knows the terms on the left hand side” . (We 
comment below on only having names as keys.) 



DYCons M, N h-^dy {M, N) 
DYFst (M, N) h-4dy M 
DYSnd (M, N) h-4oY N 



DYEnc M, n I— ^dy {AT}. 
DYDec {M}„, n i — ^dy M 



DYGuess {M}„ i-^dy n 

Each arrow has a label, expressing the probability of the operation to succeed. 
The first five rules are the traditional Dolev-Yao rules and get probability 1 as 
they never fail. Instead, rule DYGuess allows the attacker to guess the secret key 
n with probability p. 

However, a question arises: what should we choose as success probability p 
for DYGuess? 

In the computational complexity approach, the guessing probability depends 
on many factors, such as which cryptosystem was used for the encryption, the 
length of the key used, whether the attacker knows other messages encrypted 
with the same key, whether the attacker knows the plaintext, the amount of 
computational resources (i.e. time) spent by the attacker, and so on. Even if all 
these factors are taken into account, there is no handy formula for the guessing 
probability. Therefore, in order to keep our system simple, we make some further 
assumptions: 

— We constrain encryptions to use only names as keys: all the encryptions thus 
must be on the form {M}„. This can be enforced by a simple type system. 
Furthermore, we assume that names are encoded as bit strings of the same 
length T]^. 

^ In the computational complexity approach, p is typically referred to as the security 
parameter. Here, we simply identify it with the key length. 
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~ We assume that the guessing probability depends only on rj: we write it as 
Pguess(^)- In particular, it does not depend on the result (success or failure) of 
previous DYGuess operations. Most importantly, here we stipulate that the 
attacker consumes one unit of computational resources in order to perform 
the guess. We shall further discuss this point in Sect. 5. 

Intuitively, the function Pg^ess describes the strength of the cryptosystem: if 
Pguess(? 7 ) is small, the cryptosystem is strong. Typically, in the computational 
complexity approach, a cryptosystem is regarded as safe if the function Pg^ess 
(or other similar function) “quickly” approaches zero as soon as 77 increases. In 
other words, this means that the strength of the cryptosystem rapidly increases 
as soon as larger keys are used. We shall use this kind of asymptotic assumption 
on Pguess in Sect. 4. 

We do not put further assumptions on Pguess(» 7 )- Instead, we shall consider it 
a free parameter. 

3.2 The Transition System 

In order to define the semantics of our calculus, we use a labeled transition system 
(LTS). Its states are composed of: 

— the attacker’s knowledge /C, which represents the set of terms that the at- 
tacker has learnt or built so far; 

— a process P, which represents the current state of the execution of the pro- 
tocol; 

— an optional pair {p, N), used to model the fact that the attacker is about to 
learn the term N with probability p. 

We write {JC,P) (or, if the optional part is present, {K.,Py’^) to represent a 
generic state of the LTS. 

We now give the intuition underlying our transitions. A first kind of transition 
models a “standard” action of a process P: 

(/C,P) {IC',P') 

Initially, the attacker has knowledge fC. Then, P performs an action and becomes 
P' . If the action is the output of a message M, the new knowledge is JC' = 
/C U {M}, otherwise /C' = 1C. 

Another kind of transition models an action of the attacker: 

(/C,P) — ^ (/C,P)P’^ 

This transition represents the choice of some operation op the attacker is going 
to apply to the terms it knows. The superscript p is the probability to get the 
result N (p y 1 only when the operation is a guess). From the target state of 

a — > transition, two transitions exit. One transition represents the success of 
operation op and is on the form 

(/C, P)P’^ — ^ (/C U {N}, P) 

P 
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The other transition instead represents the failure of op: 
{IC,P)P’^ — ^ (/C,P) 

i-p 



Both these transitions are labeled with the corresponding probability. 



We now define the transitions 



->■ and 



♦ s/f 



Process Actions ( ^ > ). It is convenient to partition the set of names Af into 
equivalence classes. We assume that a-conversion of a name is only performed 
within its equivalence class. We write n ~ q , m when n and m belong to the same 
equivalence class. We also extend homomorphically the relation to terms. 

We write P{M/x} for the substitution of the term M at every free occurrence 
of a; in P, possibly a-converting bound names if necessary. We also write Me 1C 
for 3N. M GlC. 

In order to keep our system simple, we consider processes up to the structural 
congruence relation =, defined as the minimum congruence on the set of processes 
V including (our constrained) a-conversion, and such that (P/=,|,nil) is an 
abelian monoid. 

We now give the rules for ^ > , representing one action performed by P. The 
transition label p can be either a name or a special symbol t. 



/iln 



M &1C 



gOut 



{fC, {x).P) ^ {K., P{M/x}) {M).P) 

pDecl ^ occur in any term of K. 



(/CU{M},P) 



(/C,(new n)P) (K.,P) 



(/C,! P) ^ (/C,P I ! P) 



(/C,P)^(r,PQ p = rvp0fn(g) 
(/C,P|Q) ^ (/C',P'|Q) 



/rThen 

/iElse 



(/C, if M = M then P else Q) ^ (/C, P) 

M 

(/C, if M = A then P else Q) {K., Q) 



/iDec 



/rSplit 



(/C, decrypt {M}„ as {x}„ in P) — ^ {1C, P{M/x}) 
(/C, split {M,N) as {x,y) in P) ^ {K., P{M/x}{N/y}) 



These rules are rather straightforward. We only note that the /tin rule requires 
M G 1C, thus modeling the attacker sending a known term to the process. Rule 
/xOut instead makes the attacker learn the term M. Rule /xDecI and pPar ensure 
fresh names are generated each time a (new n) is executed. 

Moreover, we note that if (/C, P) is closed (i.e., P has no free variables and 
1C only contains ground terms) all the states reachable from it are also closed. 
Also note that in the rules above the terms M and N are ground, provided that 
the source state is closed. 
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4k ^s/f 

Attacker Actions. We can now define the > and > transitions as 

follows. 



4kDecisioni 



M £IC M 1-Ady N 



4kDecision2 



L,Mg/C L,M^oyN 
{K.,P) — ^ {K.,P)p-^ 



^Success ^Failure 

(/C, P)P’^ — ^ {K. U {A}, P) {fC, P)p-^ — ^ (/C, P) 

p i-p 

The — — — > transitions model the choice of 1) which entailment rule the attacker 
is going to apply, and 2) which arguments it is applied to. Once the choice 
is performed, the 4|kSuccess and ♦ Fail ure rules model the actual application of 
the entailment rule. In case of success, the term N is added to the attacker’s 

knowledge. Note that the transition — records the success (failure) 

p i-p 

probability, inherited by the entailment rule applied. 



4 Protocol Evaluation 

Having established our attacker-aware semantics, we can evaluate the strength 
of a given protocol. We actually focus on checking whether a protocol guarantees 
secrecy. This property can be easily expressed in our model because the states 
of our LTS explicitly expose the knowledge of the attacker 1C. This allows us to 
check whether the attacker knows a term M by simply checking whether Me/C. 

We define the probability that the attacker, having initial knowledge /C, will 
learn a given term M by interacting with a process P for a limited period. In 
order to accomplish this, we put a bound t on the number of transitions. This 
bound limits the sum of 1) the number of interactions between the attacker and 
the process P (i.e., of — ^ transitions) and 2) the number of operations the 

attacker can perform (i.e., of — > — pairs of transitions). 

We denote that probability by p „ess(p) brevity, we often omit 

Pguess(?7), insisting that it is a free parameter. 

In order to define F^{IC, P), we make the following assumptions: 

— (/C, P) is closed and /C is nonempty; 

— fn(P) n bn(P) = 0; also, names occurring in declarations belong to distinct 
equivalence classes. In this way, we can track the origin of names. For in- 
stance, we can check whether P = ! (new n).(n).nil | Q discloses an instance 
of n by checking whether tiEJC for some state {JC , P') reachable from (/C, P) 
where n does not occur in /C; 

— among the transitions outgoing from a state and labeled by /i or ♦, we 
consider only the one leading to the best state for the attacker. This is fairly 
standard in formal models: a protocol is regarded as unsafe if some execution 
trace leads to the disclosure of a secret. An alternative probabilistic approach 
will be discussed in Sect. 5. 
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Definition 1. P^p defined by induction on t by the following 

equations^ . 



Ff,{IC,P) = l 


if M^K. 




(1) 


P^(/C,P) = 0 
Fh{lC,P) = max| 


[{fIc\ic',p') 


{IC,P)^^{IC',P') }u 


(2) 




[Ff,{IC,Pr’^ 


(/c,p) — ^ (/c,p)pwJ^ 


(3) 


FUIC,PT’^ 


'\q*F^-\lC,P) 


(/C,P)pW {IC',P) J 


(4) 



Equation (1) checks whether M was disclosed. Equation (2) instead checks 
whether M was not disclosed and time ran out (i.e., t = 0). Equation ( 3 ) chooses 
the transition which is the best for the attacker; the chosen transition may be 
a process action — ^ or an attacker action - > corresponding to some opera- 
tion op. Equation (4) considers both the cases when the operation op succeeds 
((/C,P)P-^ — ^ and fails ((/C,P)P’^ (/C, P)) . Then, the proba- 

bility of discovering M from (/C, P)P’^ is the sum of the probability of discovering 
M from {1C ,P) weighted by p, and from {IC,P), weighted by 1 — p. Equation 
(4) could also be written as 

FfjilC, PY’^ = p • P^-1(/C U {N}, P) + (1 - p) . P^-1(/C, P) 

The right hand sides of the equations in Definition 1 do not depend on the choice 
of names, i.e. they are not affected by our constrained version of a-conversion 
(note the use of the relation E in (1)). Also, from any state (/C, P), only finitely 
many transitions — ^ and — ^ exit (up to a-conversion). Therefore, in ( 3 ), 
max is applied to a finite set. Moreover that set is nonempty because there is 
always at least the — ^ transition corresponding to the DYCons of some term 
belonging to the nonempty knowledge 1C. Thus FIj{IC,P) is well-defined. 

A Probabilistic Secrecy Notion. The probability measures 

the strength of a protocol as a function of the parameters t, 1C and Pguess(p)- We 
now aim for a definition of safe protocol which abstracts from those parameters. 

In the computational complexity approach, a protocol is regarded as safe 
if, for any attacker with polynomially bounded resources (with respect to the 
security parameter p), the probability of disclosing a secret (as a function of p) 
is negligible, provided that the cryptosystem is strong, i.e. it can be broken only 
with a negligible probability by such an attacker. A function is said negligible if 
it approaches zero faster than any rational function. Formally: 

Definition 2. We say that a function / : N — >■ K zs negligible iff 

Vfc G N 3po G N Vp G N. p > po |/(p)| < p~^ 

^ We assume that, whenever two equations overlap, the topmost one applies. 
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For example, 2 is negligible. 

We map the definition of safe protocol surveyed above into our model. In 
order to (polynomially) bound the resources of the attacker, we let t = . To 

us, a strong cryptosystem is such that Pguess is negligible. Finally, we assume 
that the attacker initially knows only the terms 0 and 1. We can now define 
safety in the following way: 

Definition 3. We say that a protocol P is DYp-sa/e with respect to a secret 
term M iff, for any Pguess : N [0, 1], 

Pguess negligible ^ Vfc G N. negligible 

The above definition can be read as: P is safe if, provided we are using a strong 
cryptosystem, any attacker with polynomially bounded resources has only neg- 
ligible probability of discovering M. Note that, if Pguess(?7) > 0, bounding the 
resources of the attacker {t = rj^) is crucial, because for any protocol P which 
outputs a term where M occurs, we have 

^Inn = 1 . 

Indeed, an unbounded attacker can repeatedly apply the DYGuess rule on any 
encryption until it eventually succeeds. 



Towards a Comparison against Traditional Secrecy. We compare the 
above definition of DYp-so/e process with the standard notion of secrecy used 
in formal models {DYstd~safety), which assumes a deterministic Dolev-Yao at- 
tacker. 

Definition 4. We say that a protocol P is DYstd“Safe w.r.t. a secret M iff 
V/C,P'. ({0,1}, P) — >*{JC,P') M^IC 

where the arrow — stands for either a — ^ transition or a pair ^ > 

derived from a deterministic Dolev-Yao rule (i.e. not using a DYGuess}. 

Note that this definition does not bound the number of transitions and therefore, 
unlike definition 3, is not resource-conscious. 

It is convenient to rephrase the std~ safety property using ^ m 

in order to simplify the comparison between Definitions 3 and 4. A trivial way of 
making the DYGuess rule harmless is assuming a null guessing probability: this 
makes our model deterministic. 

Definition 5. Let Pq he the constant null function. We say that a protocol P is 
DY -safe with respect to a secret M iff 

Vt, ?7 G N. Pm,Po(,,) 



(|0,1},P)=0 . 




A Note on the Perfect Encryption Assumption in a Process Calculus 523 

Proposition 1. The probability either 0 or 1. 

Proof. Trivial induction. □ 

Moreover, it it easy to show by induction that definitions 4 and 5 are indeed 
equivalent, as the following proposition states: 

Proposition 2. P is DYstd-safe (w.r.t. M) iff P is DY -safe (w.r.t. M). 

Proposition 2 allows us to compare DYp-safety against DYstd-safety by instead 
comparing DYp-safety against DY-safety as shown in the next section. 



4.1 Comparing DY and DYp Attackers 

The following obvious lemma says that the probability of discovering a secret 
increases with the power of the attacker; its proof is by easy induction on t. 

Lemma 1 (Monotonicity). If, Yrj G N. Pg 2 (? 7 ) and t\ <t 2 , then 

Yr] G N. P) < P) 

Our main result states the equivalence of DYp-safety and DY-safety. We simply 
sketch its proof. 

Theorem 1. P is DYp-safe (w.r.t. M) if and only if P is DY-safe (w.r.t. M). 
Proof (sketch). We rewrite the statement in the following way: 

P is not DYp-safe w.r.t. M P is not DY-safe w.r.t. M 

(<=) We have that, for some e > 0, G N. 1}, P) = s. There- 

fore we can apply the monotonicity lemma and state that, for every rj > t, 
'P’M.Po(r,)({0) P) > This implies that negligible (as 

a function of if). Since Pq is negligible, we conclude that P is not DYp-safe. 

k 

(=J>) By hypothesis, for some k and some negligible Pguess, ^mp 1})-P) 

is not negligible. 

We now examine the definition of P). Given t, M, Pgjess(??), /C, 

and P, we can fully expand the definition to form a tree like the following one: 




0 
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We now simplify this tree by removing every max node from it and simply 
replacing it with one of its children which evaluate to the maximum. This new 
tree is made only of weighted sum nodes and leaf nodes. Simplify further the tree 
as follows: remove all the sums with weights 0 and 1 derived from Dolev-Yao 
rules other than the DYGuess rule; replace them with the success subtree (the 
one with weight 1). The resulting tree is thus formed only by weighted sums 
with weights Pguess(??) and 1 — Pguess(?7) and leaves. 






Now we consider how the the simplified tree corresponding to p ({0, 1}, 
P) changes as rj increases. For every rj, we write and 77’* respectively for the 
simplified tree and the set of its paths. For every tt G 77** we define weight(Tr) be 
the product of all the labels of the edges of the path; we also define length(Tr) 
as the length of the path and result(Tr) as the value of the leaf at the end of the 
path. It turns out that Pj(^p^ ess(v)^^’ ~ X){''''®'ght(7r) | tt G 77Aresult(7r) = 1}. 

Also, we write ttJ^h for the path of 77’* that represents the event in which the 
DYGuess rule always fails: has weight weight(7r(!|j|) = (1 — Pguess(*7))'®"®*^*‘’^’^''^- 

We now claim that, for some rj, result(7r(^n) is 1. The proof is by contradiction. 
Assume result(7r(^n) = 0 for every ij: we obtain 

I 7T G 77 A result(Tr) = 1} = 
^^{weight(Tr) | tt G 77 A tt yf A result(Tr) = 1} < 

^{weight(Tr) I 7T G 77 A 7T yf = 1 — weight(7r((|||) = 

/ s length I ) / x 27 )*" 

1- (l-Pguess(*7)) < l-(l-Pguess(r/)J 

which can be shown to be negligible thus reaching a contradiction. 

By establishing result(7r(^n) = 1 for some r], we actually found an attack to 
the protocol which does not use the DYGuess rule. This attack can be used 
to show that P is not DY-safe. It is sufficient to lift the path back to 
the unsimplified tree and observe all the choices for the max nodes. Then, we 
can expand the definition of P^(^p^^^^({0, 1}, P) with t = rj that yields to an 
isomorphic tree. Under the same choices for the max nodes made before, we 
have Pm,Po(,j)({0> = 1- D 

Theorem 1 and Proposition 2 state that the definitions of DYstd~safety, DY- 
safety and DYp-safety are equivalent. Intuitively, an attacker with unbounded 
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resources, but no hope of guessing a key, is as powerful as an attacker that might 
guess a key (with a small probability) but only for a bounded amount of time. 
This equivalence, however, only holds asymptotically (with respect to the key 
length). As a matter of fact, the ability formal methods have to always closing 
the attacker knowledge (under the standard Dolev-Yao operations) subsumes 
the hardly mechanizable reasoning made in the computational approach. 



5 Extensions and Futnre Work 

Our model can easily be extended to include other attacker actions and crypto- 
graphic primitives. We briefly consider some of them. 

Private Channels. It is trivial to allow private channels to model secure links 
by borrowing from the tt or the Spi-calculus. Terms sent through the private 
channels do not affect the knowledge of the attacker /C, therefore modifying our 
attacker-aware semantics is easy. 

Breaking without Guessing. In our model we allowed the attacker to guess, 
i.e. to deduce the key from a given encryption. We could also allow the attacker 
to break encryptions and get the plaintext without guessing the key. We can do 
this by adding the rule 

DYBreak {M}„ i-^dy M 

As for guessing, we should assume p to be some negligible function Pbreak(''7)- 

Blind Guessing. We could also allow blind guessing, i.e. guessing without using 
any previous knowledge. 

DYBIindGuess i-^dy n 

This rule differs from DYGuess in that it allows the attacker to guess, e.g., a key 
that has not yet been used by the protocol, or a nonce. Therefore, it is strictly 
more powerful than the DYGuess rule. As for breaking, p should be negligible. 

Other Gryptographic Primitives. So far, we only considered symmetric 
encryptions. We could also model asymmetric encryption and digital signatures 
by adding, beyond the standard Dolev-Yao rules for asymmetric cryptography, 
other rules that explicitly break the cryptosystem. Many different rules can be 
used: we just give an example. We write and n~ for public and private keys, 
respectively. 

DYInvert n~^ n~^ DYFakeSign M, i-^dy [AT]„- 

As above, p and q should be negligible. 
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Non Constant— Cost Operations. In the definition of P^p the 

number t is decreased by one unit for each application of an entailment rule. So, 
every operation of the attacker has a constant cost. 

This is an oversimplification; a more adequate modeling, in particular for 
guessing, can be obtained as follows. A simple manner is to assume that the 
operations of the attacker require a non unitary amount of resources; making 
them possibly depend on rj. Another way is to relate the amount of resources con- 
sumed, e.g. for guessing, to the probability of success of the operation involved. 
For instance, we could have the following DYGuess rule. 

DYGuess {M|„ n 

The quantity r represents the amount of resources the attacker may decide to 
spend in guessing. Depending on the parameter r, a value is computed that 
expresses the probability of success. Thus, Pguess (??5 ?■) now takes into account 
both the length of the keys and the time spent. The more resources are consumed, 
the more likely guessing is; thus we require Pguess (??5 '>') to be monotonic on r. We 
change the definition of Pj^ (/C, P) so that, whenever an entailment rule 

requiring r resources is applied, the number t is decreased by r units (obviously, 
1 < r < t, thus only finitely branching fragments of the transition system are 
considered). Of course, we have strong cryptosystems, i.e., for any c G N, the 
probability Pguess(j?, v'^) is negligible as a function of rj. Accordingly, the definition 
of DYp-safety requires that for any such Pguess and for any fc G N, the function 

k 

P^p ess(r/ negligible. Also note that there is no need for r to be 

a constant, but it could be a function of rj or any other parameter; the attacker, 
however can use the rule only if has enough resources, i.e. if t > r. 

All the mentioned extensions do not significatively affect our results; in par- 
ticular, Theorem 1 still holds in a model with all the above extensions, provided 
that the probability to break the cryptosystem is negligible. The following ex- 
tensions might instead have an impact on our model. 

Average— case vs. Worst— case Analysis. In the definition of 
equation (3) only considers the transition which is the best one for the attacker 
(i.e., the worst case for P). Thus, it performs a worst-case analysis. An alter- 
native would be an average-case analysis: we could consider all the transitions 
and weight each according to a given distribution. The hard point is to define a 
distribution that faithfully reflects both the scheduling of the concurrent actions 
by the protocol and the choices the attacker makes among its operations. 

Random Choice. Sometimes protocols are specified using a toss-a-coin oper- 
ation. In the computational approach this is easy, while the usual non-determin- 
istic operator -|- of other process calculi is not adequate. A probabilistic choice 
operator +p (see e.g. Larsen and Skou [8]) accommodates well in our frame- 
work, originating transitions on the form - > . This could be a first step towards 

p 
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using formal methods for proving security properties, e.g. the correctness of zero- 
knowledge protocols, that have been faced so far only within the computational 
approach. 

Behavioural Equivalence. Some authors advocate the use of behavioural 
equivalence for security properties, especially non-interference. They typically 
assume a standard Dolev-Yao attacker. It would be interesting to study if and 
how these notions change when a DYp attacker is assumed, instead. 

A first step is by Abadi and Jiirjens [3] who relate formal models with the 
computational model following [4] . They show that if two systems are equivalent 
from the formal point of view, then it is computationally hard for an eavesdrop- 
per to distinguish between them. (Note that they assume a passive attacker, 
unlike us.) Another quite different approach to probabilistic non-interference is 
in [ 12 ]. 

Partial Information. In the real world, the attacker may not be able to guess 
keys but still be able to perform statistical attacks and gather some partial 
information from intercepted messages. Unlike the computational complexity 
model, ours is not apt to study this kind of attacks. This is because we use a 
set to represent the knowledge of the attacker, thus implicitly assuming that 
the attacker either has complete knowledge of a term or no knowledge at all. In 
[7], Clark, Hunt, and Malacaria deal with information leakage using Shannon’s 
entropy. Whether this approach can also be applied to process calculi and formal 
methods is still an open issue. 

Beyond Secrecy. In our model we focus only on secrecy. However, the model 
could be extended to include other security properties such as, for instance, au- 
thentication properties. We think that the model could be generalized to address 
any safety property without much trouble. This could be the direction for future 
research. 

Towards Adaptivity. In Sect. 3 we assumed that the guessing probability de- 
pends only on 77 , and therefore that we can express it as Pguess('' 7 )- In the real 
world, however, it may depend on other factors. Most importantly, as time passes 
and the attacker interacts with the protocol, we expect the guessing probabil- 
ity to increase since the attacker might learn something from, for instance, its 
previous guessing attempts, even if they failed (thus it is an adaptive attacker). 

One could then refine our model allowing Pguess to increase as time passes, 
and thus express the guessing probability as Pgjess(?7, time), where time is the 
current time. Also here our main theorem should hold, under a mild hypothesis 
on the growth of Pguess- 

6 Conclusions 

We presented a simple process calculus that can be used to specify cryptographic 
protocols. We introduced two distinct notions of secrecy, one borrowed from for- 
mal methods (DY-safety) and one adapted from the computational complexity 
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theory (DYp-safety). Under suitable assumptions, we proved the equivalence of 
these two secrecy definitions. 

A consequence of this result is that the perfect encryption assumption is 
quite acceptable. Thus, one can use the standard techniques for protocol analysis 
based on formal methods (e.g. type systems [1], control flow analysis [6], model 
checkers [9,11], etc.) to check if a given protocol is DYp-safe. 
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